Re: Cisco ASA to FTD migration

ethutchinson · ‎03-24-2021

We currently have two ASA 5515x's in an Active/Standby failover setup that we will be migrating to the same failover setup with two 1140 FTDs. I see there is a Migration tool for converting the ASA config to FTD. From an install perspective is there any sense in hoping for a zero downtime upgrade considering the failover relationship we have in place? I know I am hoping/asking for a lot.

Thanks

Rob Ingram · ‎03-24-2021

@ethutchinson

Have you set static MAC addresses on the ASA interface configuration currently?

Are you terminating any VPNs on the firewalls? If so they would need to restablish, so that would not be transparent.

I'd plan for a brief outage, make the cutover in a change window, out of hours.

HTH

alfred.thyri · ‎03-25-2021

That's not going to work without re-establishing all the connections. There is no way of HA sync between ASA and FTD, hence no sync of sessions.

ethutchinson · ‎05-10-2021

So as I start to think more about this migration I am coming up with more and more questions. I have accepted I am going to have some downtime. I put my thoughts into a TAC call. Here where the questions I had for the tech.

We currently have two ASA 5515Xs in an Active/Standby failover configuration. I am going to make the assumption we should deploy both of the new FTDs the same time as opposed to deploying one FTD, making sure it works the way we want it as the Active FTD and then deploying the other as the Standby.
We currently have Firepower for AMP and URL filtering running on the ASA 5515Xs 200 gb drives. We manage the Firepower using a FMC Virtual Machine. Will I be able to manage the new FTDs with the same VM or will I need to spin up another FMC VM to manage the new FTDs?
I regards to setting up the new FTDs. Should I set them up in my network beforehand with alternate IP addresses in the same inside network class C subnet as the production ASAs so configuration work can be done, licenses confirmed, etc.?
I am very concerned about our Any Connect plus license working immediately with the new FTDs after migration. Due to Covid-19 most of our workforce still works remotely and this needs to work. The authentication for Anyconnect VPN is controlled by a local DB on the ASAs. Is that still allowed in the FTDs?
Will I have to apply new certificates to the outside interface or can the old certs be used?

I did not like the tech's answer which was basically to convert the configuration with the migration tool, disconnect the ASAs and reconnect the FTDs with the converted ASA configs. I was really concerned about Step 3. I was hoping for a little more direction. Can the Community answer some of my questions?

Thanks

Marvin Rhoads · ‎05-10-2021

1. Run the migration tool with the target as a single standalone Firepower appliance. Then create the HA pair in FMC prior to migration.

2. You can use the same VM provided it is licensed for more than the smallest level (2-device).

3. Not necessary. To get started all the FTDs need is a management IP address to connect and register to FMC. The dataplane interfaces can be fully configured but not connected until cutover time.

4. Local authentication for remote access VPN is not supported for FMC-managed devices as of the current version 6.7. You have to use a AAA server like RADIUS or LDAP/AD (or client certificate). FDM management does support local authentication for remote access VPN and we expect the feature in the next release of FMC (due out in the coming month).

5. The current certificate will need to be rekeyed using a Certificate Signing Request (CSR) from one of the new appliances and then reissued from the signing Certificate Authority (CA). With FTD, the licenses are Smart license type. Your AnyConnect PAKs (assuming they are AnyConnect 4.x with current support) can be shared with your Smart account. Then FMC registers to the account and allocates the licenses to the managed FTD appliances.

Cisco TAC won't convert your configuration. Cisco does offer a firewall deployment service but it's quite pricey - typically used by large enterprise customers with complex configurations

ethutchinson · ‎05-10-2021

I was also hoping Cisco would convert the config for me. This the tech pretty much ignored.

ethutchinson · ‎05-12-2021

Marvin,

Thanks for the great answers. Unfortunately these have generated more questions....in red.

1. Run the migration tool with the target as a single standalone Firepower appliance. Then create the HA pair in FMC prior to migration.

2. You can use the same VM provided it is licensed for more than the smallest level (2-device). I will check this

3. Not necessary. To get started all the FTDs need is a management IP address to connect and register to FMC. The dataplane interfaces can be fully configured but not connected until cutover time. Should this management IP address be on the same IP subnet as the inside interface of my current ASAs?

4. Local authentication for remote access VPN is not supported for FMC-managed devices as of the current version 6.7. You have to use a AAA server like RADIUS or LDAP/AD (or client certificate). FDM management does support local authentication for remote access VPN and we expect the feature in the next release of FMC (due out in the coming month). It looks like we are going to go with the RADIUS server option for VPN authentication. Can you recommend a good paid-for version? Or is that not neccessary?

5. The current certificate will need to be rekeyed using a Certificate Signing Request (CSR) from one of the new appliances and then reissued from the signing Certificate Authority (CA). With FTD, the licenses are Smart license type. Your AnyConnect PAKs (assuming they are AnyConnect 4.x with current support) can be shared with your Smart account. Then FMC registers to the account and allocates the licenses to the managed FTD appliances.

Marvin Rhoads · ‎05-12-2021

The management IP address can be in the same subnet as the inside interface; but if there is a subnet used for such things you can also use that.

For a RADIUS server it depends a lot on your enterprise or organization's setup and where user identities are stored. Most people have AD so they use that directly. Those the don't have AD might use something like Cisco ISE (much more than just a RADIUS server and priced accordingly) at the high end all the way down to an open source FreeRADIUS server.

ethutchinson · ‎05-24-2021

Marvin,

I have always felt that the Local DB option for our Anyconnect VPN authentication provided an extra security layer. I know it is another administrative link in the chain but it is price we have been willing to pay for quite some time now. My team and I have discussed this and we still feel this way. So I am looking into enabling the NPS role on one of our MS 2016 servers to do the authentication. It will most likely "not" use our AD for LDAP linking and stay with another username/pw list.

Your thoughts would be appreciated.

Thanks

Marvin Rhoads · ‎05-24-2021

I've heard it argued and tend to agree that using a single identity source of truth is a superior design. The rationale is that when an employee is joins or leaves or changes roles, there is one place where their record is created and privileges granted (based on membership in various groups). When you distribute that across multiple systems, each of those systems has to be updated independently to add or remove access. I've seen many local user databases that contain "the guy who used to work here" (often with full admin privileges).

ethutchinson · ‎05-24-2021

And we have had that happen......several times. So I guess we stand at a crossroads here. My fear is if someone (not an employee) knows your AD password they can login using the AnyConnect client and cause all sorts of mischief. So I am going to guess again this can be fixed with having the users I want to use VPN access in some sort of a group. Sorry to theorize basic stuff but we have never had to deal with this before.

Marvin Rhoads · ‎05-24-2021

Users' local passwords can be compromised just like AD-based passwords can.

Have you considered Multi-Factor Authentication (MFA)?

ethutchinson · ‎05-12-2021

Marvin,

I noticed on my current ASA 5515Xs the management interfaces are connected the same vlan as the one my inside interfaces are on but they dont have any addresses assigned to them. I dont really remember why I did this but I think it had something to do with my Firepower setup? Will the management interfaces on the FTDs need to have IP addresses assigned to them?

Marvin Rhoads · ‎05-12-2021

Yes, FTD requires use of the physical management interface.

soporteSeguridad8710 · ‎11-08-2022

Hi, we need migrate from ASA 7.2 to FWP2110, but we can not use to migration tool because it is block by the version and the device is end of life from 2018, can you explain to us, please, how we can solved it, please?. Thanks in advance