Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4677
Views
12
Helpful
22
Replies

Can FMC running in vsphere be migrated to AWS?

Go to solution
m1xed0s
Spotlight
Spotlight

‎03-12-2022 09:47 AM

I plan to migrate a FMC running in vsphere to AWS. Initially I plan to: 1. Build the FMC in AWS as brand new; 2. Backup the existing FMC (running v7 already) and then restore the backup in AWS FMC; 3. Login to AWS FMC serial console to change the MGMT IP address.

 

But after reading the FMC migration guide below, I am not too sure my planned process would work…

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide.html 


It shows Azure is not supported but what about AWS? From the guide, the supported migration path doesn’t seem support FMCv as the target no matter what is the source model…

 

So if I read the guide correctly, will I have to do policy export and import in order have the configuration migrated? Plus I donot know if the AWS ec2 serial console would work for FMC instance…

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-14-2022 03:25 AM - edited ‎03-14-2022 03:26 AM

You can temporarily "fool" the Firepower Model Migration Tool by configuring the target FMCv in AWS as a hardware model - an FMC 1600- for example. There is a script that you can run to do this. Run it as root: /var/sf/etc/model-info/configure-model.sh, change the model of the AWS FMC to FMC 1600 and import the backup. After that, rerun the script and revert it to the FMCv for AWS.

root@firepower:/var/sf/backup# /var/sf/etc/model-info/configure-model.sh 

To reset this Cisco Firepower Management Center for VMware to a new model the Cisco Firepower Management Center for VMware
will be stopped and rebooted.

Stop the Cisco Firepower Management Center for VMware to configure new model and reboot? [y/n] y
Stopping Cisco Firepower Management Center for VMware......ok
Please select the model to configure to:

 1) Cisco_Firepower_Management_Center_for_VMware
 2) Cisco_Firepower_Management_Center_for_AWS
 3) Cisco_Firepower_Management_Center_for_KVM
 4) Cisco_Firepower_Management_Center_1000
 5) Cisco_Firepower_Management_Center_2500
 6) Cisco_Firepower_Management_Center_4500
 7) Cisco_Firepower_Management_Center_1600
  Cisco_Firepower_Management_Center_2600
 9) Cisco_Firepower_Management_Center_4600
10) Cisco_Firepower_Management_Center_for_Azure
11) Cisco_Firepower_Management_Center_for_GCP
12) Cisco_Firepower_Management_Center_for_VMWare_300
13) Cisco_Firepower_Management_Center_for_OCI
14) Cisco_Firepower_Management_Center_for_OpenStack
Please select model configure to: 7

Configuring for Cisco Firepower Management Center 1600.

Proceeding with reboot of new Cisco Firepower Management Center 1600.


Broadcast message from root@firepower (pts/0) (Wed Mar  9 14:12:08 2022):

The system is going down for reboot NOW!
root@firepower:/var/sf/backup#

View solution in original post

22 Replies 22

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-12-2022 10:32 AM

I have done deployment in AWS, as per document you get console :

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmcv/fpmc-virtual/fpmc-virtual-aws.html#id_71276

 

Your steps seem to reasonable, you need to the same version, register FTD with the new FMC, before you remove OLD one.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to balaji.bandi

‎03-12-2022 10:37 AM

Cool! It is mainly the migration path doc confused me…

 

so the way to access the AWS FMC serial console would the same as other Linux based EC2 instance?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to m1xed0s

‎03-12-2022 10:51 AM

I believe you get the ability of the same to do the task.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-14-2022 03:25 AM - edited ‎03-14-2022 03:26 AM

You can temporarily "fool" the Firepower Model Migration Tool by configuring the target FMCv in AWS as a hardware model - an FMC 1600- for example. There is a script that you can run to do this. Run it as root: /var/sf/etc/model-info/configure-model.sh, change the model of the AWS FMC to FMC 1600 and import the backup. After that, rerun the script and revert it to the FMCv for AWS.

root@firepower:/var/sf/backup# /var/sf/etc/model-info/configure-model.sh 

To reset this Cisco Firepower Management Center for VMware to a new model the Cisco Firepower Management Center for VMware
will be stopped and rebooted.

Stop the Cisco Firepower Management Center for VMware to configure new model and reboot? [y/n] y
Stopping Cisco Firepower Management Center for VMware......ok
Please select the model to configure to:

 1) Cisco_Firepower_Management_Center_for_VMware
 2) Cisco_Firepower_Management_Center_for_AWS
 3) Cisco_Firepower_Management_Center_for_KVM
 4) Cisco_Firepower_Management_Center_1000
 5) Cisco_Firepower_Management_Center_2500
 6) Cisco_Firepower_Management_Center_4500
 7) Cisco_Firepower_Management_Center_1600
  Cisco_Firepower_Management_Center_2600
 9) Cisco_Firepower_Management_Center_4600
10) Cisco_Firepower_Management_Center_for_Azure
11) Cisco_Firepower_Management_Center_for_GCP
12) Cisco_Firepower_Management_Center_for_VMWare_300
13) Cisco_Firepower_Management_Center_for_OCI
14) Cisco_Firepower_Management_Center_for_OpenStack
Please select model configure to: 7

Configuring for Cisco Firepower Management Center 1600.

Proceeding with reboot of new Cisco Firepower Management Center 1600.


Broadcast message from root@firepower (pts/0) (Wed Mar  9 14:12:08 2022):

The system is going down for reboot NOW!
root@firepower:/var/sf/backup#

Go to solution
m1xed0s
Spotlight
Spotlight
In response to Marvin Rhoads

‎03-14-2022 06:50 AM

Thanks, will give it a try.

0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to Marvin Rhoads

‎03-14-2022 12:40 PM - edited ‎03-14-2022 12:47 PM

@Marvin Rhoads If I set the FMC model to be something else other than the FMCv for AWS, say I set it to FMCv for VMware. Wouldnt I be able to just simply restore my backup captured from the FMC running in VMware?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to m1xed0s

‎03-14-2022 08:03 PM

Possibly, but I've never tried that.

On the other hand, I have used the method I suggested successfully on two different FMCs in the past month.

0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to Marvin Rhoads

‎03-15-2022 06:25 AM

Thanks for the confirmation!

0 Helpful

Go to solution
bill.whelan
Level 1
Level 1
In response to Marvin Rhoads

‎08-29-2023 11:00 AM

Will this method work when migrating from an FMC 1000 to FMCv?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Freemen

‎03-01-2024 04:21 AM

@Freemen yes - that is correct. Once you are able to migrate using that work around, revert the new FMC to its actual model.

0 Helpful

Go to solution
rayumang
Level 1
Level 1
In response to Marvin Rhoads

‎02-14-2024 11:58 PM

I have tried this approached but after uploading the backup file, I cannot reach the AWS FMC. Sorry but I am just new to this. Read also that you need to access the console of the AWS to replace the management IP. How to do this? 

Appreciate the reply.

Thanks,

Don

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rayumang

‎02-15-2024 08:19 AM

You would have to log into the VM console in AWS and use the configure-network script as root user in expert mode to update the FMC management address.

sudo /usr/local/sf/bin/configure-network

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card