Solved: Re: Does the FMT overwrite all FTD configuration if only selecting NAT

NetworkMonkey101 · ‎10-18-2024

Am I able to only push partial configuration to a FTD and keep all other existing configuration if options are deselected?

Marvin Rhoads · ‎10-18-2024

You can elect not to choose a target FTD when running the migration tool.

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/m-asa-to-threat-defense-migration-workflow.html#id_68145

That will trigger this workflow: "if you do not have a threat defense device, you can migrate the shared policies (Access Control Lists, NAT, and Objects) of the ASA configuration to the management center."

You could then later assign the migrated NAT policy to your existing device. However you would be responsible for manually ensuring that all of the interfaces and zones were already properly assigned so that the NAT policy would be valid.

View solution in original post

Aref Alsouqi · ‎10-18-2024

Assuming you are migrating from an ASA to FTD:

Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat Defense with the Migration Tool - Getting Started with the Secure Firewall Migration Tool [Cisco Secure Firewall ASA] - Cisco

Marvin Rhoads · ‎10-18-2024

You can elect not to choose a target FTD when running the migration tool.

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/m-asa-to-threat-defense-migration-workflow.html#id_68145

That will trigger this workflow: "if you do not have a threat defense device, you can migrate the shared policies (Access Control Lists, NAT, and Objects) of the ASA configuration to the management center."

You could then later assign the migrated NAT policy to your existing device. However you would be responsible for manually ensuring that all of the interfaces and zones were already properly assigned so that the NAT policy would be valid.