Solved: Re: Can FMC running in vsphere be migrated to AWS? - Page 2

SIMMN · ‎03-12-2022

I plan to migrate a FMC running in vsphere to AWS. Initially I plan to: 1. Build the FMC in AWS as brand new; 2. Backup the existing FMC (running v7 already) and then restore the backup in AWS FMC; 3. Login to AWS FMC serial console to change the MGMT IP address.

But after reading the FMC migration guide below, I am not too sure my planned process would work…

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide.html

It shows Azure is not supported but what about AWS? From the guide, the supported migration path doesn’t seem support FMCv as the target no matter what is the source model…

So if I read the guide correctly, will I have to do policy export and import in order have the configuration migrated? Plus I donot know if the AWS ec2 serial console would work for FMC instance…

AigarsK · ‎04-16-2024

Thanks Marvin,

Your solution allowed me to migrate FMC 1000 to FMCv. My migration was to FMCv to the same IP address as physical appliance.

High level steps were:
• Deploy new FMCv in virtual environment (mine was Nutanix)
• Provision new FMCv with different IP initially, and perform initial setup, licensing and bring up to the same version and patch level
• On FMCv run "/var/sf/etc/model-info/configure-model.sh" and set it to FMC 1000
• On FMC 1000, perform Management backup and download it to local PC.
• Shut down FMC 1000
• Update FMCv IP address to the IP address previously used by FMC 1000 by using script "/usr/local/sf/bin/configure-network"
• On FMCv I had to edit restore backup script to remove checks causing error "Unable to clear Lights-Out Management user" - detailed workaround in CSCvc05004
• Perform actual restore on FMCv using backup from FMC 1000.
• Revert FMCv model using "/var/sf/etc/model-info/configure-model.sh"

Thing to mention, for Nutanix deployment, it states to use KVM qcow2 disk file, when I was changing model initially it reported that it was set for OCI, when I finished tasks, I set it to KVM.

Marvin Rhoads · ‎04-16-2024

Thanks for sharing your experience @AigarsK !

Ivan Zhang · ‎08-04-2024

Hi @AigarsK

Did you experience any downtime when you migrated FMC1000 to FMCv? Thank you.

AigarsK · ‎09-04-2024

No downtime to the devices the FMC managed, there of course is downtime on FMC as I had to shutdown the old one to be able to migrate its IP on the new Virtual FMC instance.

Shamrock · ‎02-27-2025

Marvin, will this work with a migration to Nutanix AHV?

Marvin Rhoads · ‎02-28-2025

@Shamrock yes it will.

jbates5873 · ‎02-22-2023

bit of a grave dig on this,

but we are looking to migrate an ESX on-prem instance to Azure.

Based on this thread, and your experience @SIMMN (even though you were AWS) how did you go?

Im thinking we may be able to configure the Azure instance to pretend to match on-prem, restore and re-configre to be azure afterwards. Thoughts?

SIMMN · ‎02-23-2023

I basically just "converted" the FMCv for AWS to be FMC 1600 and then used the built-in migration tool with the configuration backup. Then "converted" it back to the FMCv for AWS. I would assume the same could be done for Azure but you might also want to have a plan B prepare in case the method did not work for Azure.

James Petner · ‎03-16-2023

@Marvin Rhoads @SIMMN Wondering if either of you have any experience using the 'fool' model method to setup an FMCv HA pair?

For background I'm trying to do the same FMCv on VMware to FMCv on AWS migration this tread is discussing. In my case the Source and Destination FMCv IPs will be different. According to TAC I'm going to have to deregister my FTDs and then re-register them but I'm obviously trying to avoid any downtime, and this would wipe the config in the process, etc...

I see in this documentation that FMCv HA is now supported across all platforms and I meet all the requirements and guidelines in this doc. including the software versions and rules versions matching on both FMCv's. However, when I go to setup the HA I get an error message that says the models don't match because one is on VMware and the other AWS.

Cisco Secure Firewall Management Center Administration Guide, 7.3 - High Availability [Cisco Secure Firewall Management Center] - Cisco

Any thoughts or insights would be greatly appreciated!

SIMMN · ‎03-16-2023

I have not done any virtual FMC HA and frankly I really do not see any needs for that.

James Petner · ‎03-16-2023

Totally agree that the HA FMCv is overkill in most cases. I'm just looking to use it as a migration tool for right now. Thanks for the feedback.

Marvin Rhoads · ‎03-16-2023

The only FMC HA deployments I have encountered have been hardware-based. I've not migrated any to cloud, HA or otherwise.

Ivan Zhang · ‎08-04-2024

Hi guys,

Did you experience any downtime when you migrate the FMC to different model, like FMC1000 to FMCv? Thanks.

modette · ‎04-26-2025

@Marvin Rhoads I just came across this thread, and from what I've read, your steps to "fool" the FMCv model number appear to be what I'm looking for. Can you confirm a few things for me, and share any pointers to ensure successful migration?

I'm migrating FMCv on KVM to FMCv on VMWare. Version is a little old (7.0.x), but I plan on updating to more current.

I'll have to change the IP of the FMCv and update that on the FTD HA Pair as part of the migration.

Thus, I believe the steps are:

create backup of FMCv
install new FMCv on VMWare, bring it up to matching FMC patch level and VDB version.
run script ("/var/sf/etc/model-info/configure-model.sh" and set it to FMC on KVM) to change FMCv on VMWare to temporarily make it run as FMCv on KVM
import backup of FMVc on KVM to new FMCv instance, reboot.
console into new FMCv and run script ("/usr/local/sf/bin/configure-network") to change its IP to new subnet, verify I can log into it on on new IP.
run script ("/var/sf/etc/model-info/configure-model.sh" and set it to FMC on VMWare) to change the new FMCv back to VMWare model.
Verify no errors other than no communication to FTDs
run "configure manager edit" command on FTDs to update them to connect with the FMC. Redeploy policies.

I appreciate your input and shared knowledge and experience.

Marvin Rhoads · ‎04-26-2025

@modette I would suggest first upgrading your FMC on VMware to the most recent suggested release (currently 7.4.2) and patch (7.4.2.2). You will also get the ability to create a device backup from FMC (new feature in 7.1+) in case that ends up being needed.

Your method should work, but I would test on a temporary lab FTDv or less important firewall first just to be sure.