Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9072
Views
12
Helpful
25
Replies

Can FMC running in vsphere be migrated to AWS?

Go to solution
SIMMN
Spotlight
Spotlight

‎03-12-2022 09:47 AM

I plan to migrate a FMC running in vsphere to AWS. Initially I plan to: 1. Build the FMC in AWS as brand new; 2. Backup the existing FMC (running v7 already) and then restore the backup in AWS FMC; 3. Login to AWS FMC serial console to change the MGMT IP address.

 

But after reading the FMC migration guide below, I am not too sure my planned process would work…

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide.html 


It shows Azure is not supported but what about AWS? From the guide, the supported migration path doesn’t seem support FMCv as the target no matter what is the source model…

 

So if I read the guide correctly, will I have to do policy export and import in order have the configuration migrated? Plus I donot know if the AWS ec2 serial console would work for FMC instance…

0 Helpful
25 Replies 25

Go to solution
AigarsK
Level 1
Level 1
In response to Marvin Rhoads

‎04-16-2024 06:44 AM - edited ‎06-24-2024 01:22 AM

Thanks Marvin,

Your solution allowed me to migrate FMC 1000 to FMCv. My migration was to FMCv to the same IP address as physical appliance.

High level steps were:
• Deploy new FMCv in virtual environment (mine was Nutanix)
• Provision new FMCv with different IP initially, and perform initial setup, licensing and bring up to the same version and patch level
• On FMCv run "/var/sf/etc/model-info/configure-model.sh" and set it to FMC 1000
• On FMC 1000, perform Management backup and download it to local PC.
• Shut down FMC 1000
• Update FMCv IP address to the IP address previously used by FMC 1000 by using script "/usr/local/sf/bin/configure-network"
• On FMCv I had to edit restore backup script to remove checks causing error "Unable to clear Lights-Out Management user" - detailed workaround in CSCvc05004
• Perform actual restore on FMCv using backup from FMC 1000.
• Revert FMCv model using "/var/sf/etc/model-info/configure-model.sh"

Thing to mention, for Nutanix deployment, it states to use KVM qcow2 disk file, when I was changing model initially it reported that it was set for OCI, when I finished tasks, I set it to KVM.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AigarsK

‎04-16-2024 06:58 AM

Thanks for sharing your experience @AigarsK !

0 Helpful

Go to solution
Ivan Zhang
Level 1
Level 1
In response to AigarsK

‎08-04-2024 10:49 PM

Hi @AigarsK

Did you experience any downtime when you migrated FMC1000 to FMCv? Thank you.

0 Helpful

Go to solution
AigarsK
Level 1
Level 1
In response to Ivan Zhang

‎09-04-2024 05:50 AM

No downtime to the devices the FMC managed, there of course is downtime on FMC as I had to shutdown the old one to be able to migrate its IP on the new Virtual FMC instance.

0 Helpful

Go to solution
jbates5873
Level 1
Level 1

‎02-22-2023 05:30 PM

bit of a grave dig on this,

but we are looking to migrate an ESX on-prem instance to Azure.

Based on this thread, and your experience @SIMMN (even though you were AWS) how did you go? 

Im thinking we may be able to configure the Azure instance to pretend to match on-prem, restore and re-configre to be azure afterwards. Thoughts?

0 Helpful

Go to solution
SIMMN
Spotlight
Spotlight
In response to jbates5873

‎02-23-2023 06:03 AM

I basically just "converted" the FMCv for AWS to be FMC 1600 and then used the built-in migration tool with the configuration backup. Then "converted" it back to the FMCv for AWS. I would assume the same could be done for Azure but you might also want to have a plan B prepare in case the method did not work for Azure.

0 Helpful

Go to solution
James Petner
Level 1
Level 1

‎03-16-2023 07:58 AM

@Marvin Rhoads @SIMMN  Wondering if either of you have any experience using the 'fool' model method to setup an FMCv HA pair?

For background I'm trying to do the same FMCv on VMware to FMCv on AWS migration this tread is discussing. In my case the Source and Destination FMCv IPs will be different. According to TAC I'm going to have to deregister my FTDs and then re-register them but I'm obviously trying to avoid any downtime, and this would wipe the config in the process, etc... 

I see in this documentation that FMCv HA is now supported across all platforms and I meet all the requirements and guidelines in this doc. including the software versions and rules versions matching on both FMCv's.  However, when I go to setup the HA I get an error message that says the models don't match because one is on VMware and the other AWS. 

Cisco Secure Firewall Management Center Administration Guide, 7.3 - High Availability [Cisco Secure Firewall Management Center] - Cisco 

Any thoughts or insights would be greatly appreciated! 

0 Helpful

Go to solution
SIMMN
Spotlight
Spotlight
In response to James Petner

‎03-16-2023 08:48 AM

I have not done any virtual FMC HA and frankly I really do not see any needs for that. 

0 Helpful

Go to solution
James Petner
Level 1
Level 1
In response to SIMMN

‎03-16-2023 09:10 AM

Totally agree that the HA FMCv is overkill in most cases. I'm just looking to use it as a migration tool for right now. Thanks for the feedback. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to James Petner

‎03-16-2023 09:30 AM

The only FMC HA deployments I have encountered have been hardware-based. I've not migrated any to cloud, HA or otherwise.

0 Helpful

Go to solution
Ivan Zhang
Level 1
Level 1

‎08-04-2024 08:11 PM

Hi guys, 

Did you experience any downtime when you migrate the FMC to different model, like FMC1000 to FMCv? Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card