03-24-2021 08:54 AM
We currently have two ASA 5515x's in an Active/Standby failover setup that we will be migrating to the same failover setup with two 1140 FTDs. I see there is a Migration tool for converting the ASA config to FTD. From an install perspective is there any sense in hoping for a zero downtime upgrade considering the failover relationship we have in place? I know I am hoping/asking for a lot.
Thanks
03-24-2021 09:02 AM - edited 03-24-2021 09:19 AM
Have you set static MAC addresses on the ASA interface configuration currently?
Are you terminating any VPNs on the firewalls? If so they would need to restablish, so that would not be transparent.
I'd plan for a brief outage, make the cutover in a change window, out of hours.
HTH
03-25-2021 12:12 PM
That's not going to work without re-establishing all the connections. There is no way of HA sync between ASA and FTD, hence no sync of sessions.
05-10-2021 02:27 PM
So as I start to think more about this migration I am coming up with more and more questions. I have accepted I am going to have some downtime. I put my thoughts into a TAC call. Here where the questions I had for the tech.
I did not like the tech's answer which was basically to convert the configuration with the migration tool, disconnect the ASAs and reconnect the FTDs with the converted ASA configs. I was really concerned about Step 3. I was hoping for a little more direction. Can the Community answer some of my questions?
Thanks
05-10-2021 09:25 PM - edited 05-10-2021 09:28 PM
1. Run the migration tool with the target as a single standalone Firepower appliance. Then create the HA pair in FMC prior to migration.
2. You can use the same VM provided it is licensed for more than the smallest level (2-device).
3. Not necessary. To get started all the FTDs need is a management IP address to connect and register to FMC. The dataplane interfaces can be fully configured but not connected until cutover time.
4. Local authentication for remote access VPN is not supported for FMC-managed devices as of the current version 6.7. You have to use a AAA server like RADIUS or LDAP/AD (or client certificate). FDM management does support local authentication for remote access VPN and we expect the feature in the next release of FMC (due out in the coming month).
5. The current certificate will need to be rekeyed using a Certificate Signing Request (CSR) from one of the new appliances and then reissued from the signing Certificate Authority (CA). With FTD, the licenses are Smart license type. Your AnyConnect PAKs (assuming they are AnyConnect 4.x with current support) can be shared with your Smart account. Then FMC registers to the account and allocates the licenses to the managed FTD appliances.
Cisco TAC won't convert your configuration. Cisco does offer a firewall deployment service but it's quite pricey - typically used by large enterprise customers with complex configurations
05-10-2021 02:29 PM
I was also hoping Cisco would convert the config for me. This the tech pretty much ignored.
05-12-2021 08:16 AM
Marvin,
Thanks for the great answers. Unfortunately these have generated more questions....in red.
1. Run the migration tool with the target as a single standalone Firepower appliance. Then create the HA pair in FMC prior to migration.
2. You can use the same VM provided it is licensed for more than the smallest level (2-device). I will check this
3. Not necessary. To get started all the FTDs need is a management IP address to connect and register to FMC. The dataplane interfaces can be fully configured but not connected until cutover time. Should this management IP address be on the same IP subnet as the inside interface of my current ASAs?
4. Local authentication for remote access VPN is not supported for FMC-managed devices as of the current version 6.7. You have to use a AAA server like RADIUS or LDAP/AD (or client certificate). FDM management does support local authentication for remote access VPN and we expect the feature in the next release of FMC (due out in the coming month). It looks like we are going to go with the RADIUS server option for VPN authentication. Can you recommend a good paid-for version? Or is that not neccessary?
5. The current certificate will need to be rekeyed using a Certificate Signing Request (CSR) from one of the new appliances and then reissued from the signing Certificate Authority (CA). With FTD, the licenses are Smart license type. Your AnyConnect PAKs (assuming they are AnyConnect 4.x with current support) can be shared with your Smart account. Then FMC registers to the account and allocates the licenses to the managed FTD appliances.
05-12-2021 11:18 AM
The management IP address can be in the same subnet as the inside interface; but if there is a subnet used for such things you can also use that.
For a RADIUS server it depends a lot on your enterprise or organization's setup and where user identities are stored. Most people have AD so they use that directly. Those the don't have AD might use something like Cisco ISE (much more than just a RADIUS server and priced accordingly) at the high end all the way down to an open source FreeRADIUS server.
05-24-2021 05:29 AM
Marvin,
I have always felt that the Local DB option for our Anyconnect VPN authentication provided an extra security layer. I know it is another administrative link in the chain but it is price we have been willing to pay for quite some time now. My team and I have discussed this and we still feel this way. So I am looking into enabling the NPS role on one of our MS 2016 servers to do the authentication. It will most likely "not" use our AD for LDAP linking and stay with another username/pw list.
Your thoughts would be appreciated.
Thanks
05-24-2021 11:14 AM
I've heard it argued and tend to agree that using a single identity source of truth is a superior design. The rationale is that when an employee is joins or leaves or changes roles, there is one place where their record is created and privileges granted (based on membership in various groups). When you distribute that across multiple systems, each of those systems has to be updated independently to add or remove access. I've seen many local user databases that contain "the guy who used to work here" (often with full admin privileges).
05-24-2021 12:02 PM
And we have had that happen......several times. So I guess we stand at a crossroads here. My fear is if someone (not an employee) knows your AD password they can login using the AnyConnect client and cause all sorts of mischief. So I am going to guess again this can be fixed with having the users I want to use VPN access in some sort of a group. Sorry to theorize basic stuff but we have never had to deal with this before.
05-24-2021 09:10 PM
Users' local passwords can be compromised just like AD-based passwords can.
Have you considered Multi-Factor Authentication (MFA)?
05-12-2021 01:36 PM
Marvin,
I noticed on my current ASA 5515Xs the management interfaces are connected the same vlan as the one my inside interfaces are on but they dont have any addresses assigned to them. I dont really remember why I did this but I think it had something to do with my Firepower setup? Will the management interfaces on the FTDs need to have IP addresses assigned to them?
05-12-2021 09:07 PM
Yes, FTD requires use of the physical management interface.
11-08-2022 09:01 AM
Hi, we need migrate from ASA 7.2 to FWP2110, but we can not use to migration tool because it is block by the version and the device is end of life from 2018, can you explain to us, please, how we can solved it, please?. Thanks in advance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide