Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4721
Views
12
Helpful
22
Replies

Can FMC running in vsphere be migrated to AWS?

Go to solution
m1xed0s
Spotlight
Spotlight

‎03-12-2022 09:47 AM

I plan to migrate a FMC running in vsphere to AWS. Initially I plan to: 1. Build the FMC in AWS as brand new; 2. Backup the existing FMC (running v7 already) and then restore the backup in AWS FMC; 3. Login to AWS FMC serial console to change the MGMT IP address.

 

But after reading the FMC migration guide below, I am not too sure my planned process would work…

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide.html 


It shows Azure is not supported but what about AWS? From the guide, the supported migration path doesn’t seem support FMCv as the target no matter what is the source model…

 

So if I read the guide correctly, will I have to do policy export and import in order have the configuration migrated? Plus I donot know if the AWS ec2 serial console would work for FMC instance…

0 Helpful
22 Replies 22

Go to solution
AigarsK
Level 1
Level 1
In response to Marvin Rhoads

‎04-16-2024 06:44 AM - edited ‎04-16-2024 07:10 AM

Thanks Marvin,

Your solution allowed me to migrate FMC 1000 to FMCv. My migration was to FMCv to the same IP address as physical appliance.

High level steps were:
• Deploy new FMCv in virtual environment (mine was Nutanix)
• Provision new FMCv with different IP initially, and perform initial setup, licensing and bring up to the same version and patch level
• On FMCv run "/var/sf/etc/model-info/configure-model.sh" and set it to FMC 1000
• On FMC 1000, perform Management backup and download it to local PC.
• Shut down FMC 1000
• Update FMCv IP address to the IP address previously used by FMC 1000 by using script "/usr/local/sf/bin/configure-network"
• On FMCv I had to edit restore backup script to remove checks causing error "Unable to clear Lights-Out Management user" - detailed workaround in CSCvc05004
• Perform actual restore on FMCv using backup from FMC 1000.
• Revert FMCv model using "/var/sf/etc/model-info/configure-model.sh"

Thing to mention, for Nutanix deployment, it states to use KVM qcow2 disk file, when I was changing model intiall it reported that I was set for OCI, when I finished tasks, I set it to KVM.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to AigarsK

‎04-16-2024 06:58 AM

Thanks for sharing your experience @AigarsK !

0 Helpful

Go to solution
jbates5873
Level 1
Level 1

‎02-22-2023 05:30 PM

bit of a grave dig on this,

but we are looking to migrate an ESX on-prem instance to Azure.

Based on this thread, and your experience @m1xed0s (even though you were AWS) how did you go? 

Im thinking we may be able to configure the Azure instance to pretend to match on-prem, restore and re-configre to be azure afterwards. Thoughts?

0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to jbates5873

‎02-23-2023 06:03 AM

I basically just "converted" the FMCv for AWS to be FMC 1600 and then used the built-in migration tool with the configuration backup. Then "converted" it back to the FMCv for AWS. I would assume the same could be done for Azure but you might also want to have a plan B prepare in case the method did not work for Azure.

0 Helpful

Go to solution
James Petner
Level 1
Level 1

‎03-16-2023 07:58 AM

@Marvin Rhoads @m1xed0s  Wondering if either of you have any experience using the 'fool' model method to setup an FMCv HA pair?

For background I'm trying to do the same FMCv on VMware to FMCv on AWS migration this tread is discussing. In my case the Source and Destination FMCv IPs will be different. According to TAC I'm going to have to deregister my FTDs and then re-register them but I'm obviously trying to avoid any downtime, and this would wipe the config in the process, etc... 

I see in this documentation that FMCv HA is now supported across all platforms and I meet all the requirements and guidelines in this doc. including the software versions and rules versions matching on both FMCv's.  However, when I go to setup the HA I get an error message that says the models don't match because one is on VMware and the other AWS. 

Cisco Secure Firewall Management Center Administration Guide, 7.3 - High Availability [Cisco Secure Firewall Management Center] - Cisco 

Any thoughts or insights would be greatly appreciated! 

0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to James Petner

‎03-16-2023 08:48 AM

I have not done any virtual FMC HA and frankly I really do not see any needs for that. 

0 Helpful

Go to solution
James Petner
Level 1
Level 1
In response to m1xed0s

‎03-16-2023 09:10 AM

Totally agree that the HA FMCv is overkill in most cases. I'm just looking to use it as a migration tool for right now. Thanks for the feedback. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to James Petner

‎03-16-2023 09:30 AM

The only FMC HA deployments I have encountered have been hardware-based. I've not migrated any to cloud, HA or otherwise.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card