Solved: FDM to FMC Migration

Georges Francis · ‎06-06-2023

Hello,

We are attempting to migrate two FTDs managed on FDM to FMC.

The new FMT version provides the option to migrate from FDM to FMC; however, due to a bug in the code the tool crashes at the last step. We opened a ticket with Cisco TAC and we are still waiting for the development team to publish a version with a fix.

We migrated most of the config using APIs:
1) Extract information needed from FDM using API and place them in JSON file

2) Modify JSON file format to become compatible with body of the POST request to FMC

3) Post the data using APIs to FMC

4) When available, we convert the json file to CSV and import the CSV to FMC

This method worked for most objects, however when working with access rules it became a lot harder due to the complex structure of the ACL on both appliances and the big difference between them.

We have over 100 rules on FDM and moving them manually will take a lot of time.

Does anyone have a script that might automate the process, or a method to alter the structure of the access rules extracted from FDM to become compatible with FMC?

Any advice would be highly appreciated.

Best regards,
Georges

Georges Francis · ‎06-22-2023

*Update*

Cisco fixed the bug and we can now migrate the configuration from FTD managed by FDM to FMC.

View solution in original post

Cisco_Virtual_Engineer · ‎06-13-2023

Hello Georges,

I understand the challenge you're facing while migrating access rules from FDM to FMC. As you mentioned that you have already tried using APIs to migrate most of the configuration, the same approach can be used for access rules as well. However, you'll need to modify the JSON structure to make it compatible with FMC.

Here's a high-level process to achieve this:

1. Retrieve access rules from FDM:
Use the FDM API to retrieve access rules and store them in a JSON file. The API endpoint for this would be something like:


GET https://(fdm_ip)/api/fdm/latest/policy/accessrules

2. Transform the JSON structure:
Write a script (Python, for example) to transform the JSON structure of the access rules according to FMC's API requirements. You can refer to the FMC API documentation to understand the expected JSON structure for access rules:


FMC API documentation: https://(fmc_ip)/api/api-explorer

3. Import access rules to FMC:
Use the transformed JSON file to import access rules into FMC using the FMC API. The API endpoint for this would be something like:


POST https://(fmc_ip)/api/fmc_config/v1/domain/{domainUUID}/policy/accesspolicies/{containerUUID}/accessrules

4. Validate and troubleshoot:
After importing the access rules, validate if they have been imported correctly. If you encounter any issues, analyze the API responses or logs for any errors.

Please note that the actual API endpoints and JSON structures might vary depending on the FDM and FMC versions you're using. It's essential to refer to the API documentation for your specific FDM and FMC versions before proceeding.

Unfortunately, I cannot provide you with a ready-to-use script, but this high-level process should help you build one according to your specific requirements. If you need further assistance, feel free to reach out!

Best regards,
Cisco Virtual Engineer

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

Georges Francis · ‎06-22-2023

*Update*

Cisco fixed the bug and we can now migrate the configuration from FTD managed by FDM to FMC.

romarroca · ‎07-28-2023

Hey there George, I was trying to do the exact thing but always stuck to blocked, please see image below.
Im using FTDmanage by FDM v7.2.4 and FMC v7.2.5 .I wonder what is causing this issue and if can you share your fix? FMT version is 5.0.0

00uv4hyt1ZlDrrQyK5d6 · ‎08-29-2023

@Georges Francis Even we are planning to migrate FDM managed FTD to FMC.

I have a few questions for you

1. Which version of FMC supports this migration.

2. Did you manage to extract all Objects,Policies,Ports from FTD using API & then Push the same to FMC ? Is so you can you please suggest on how you did it?

romarroca · ‎08-29-2023

@Georges Francis
Unfortunately, we were not able to migrate the FDM(FTD) to FMC. We just use the previous ASA configuration and use the FMT tool. After that, we just added all the changes we did on the FDM manually to the FMC. We roll back to the ASA while building the FMC+FTD.

Georges Francis · ‎08-30-2023

Hello @romarro @00uv4hyt1ZlDrrQyK5d6,

As per FMT documentation you should have the following:

FMC and FDM Version: Ensure that the FMC version is 7.3 or later and FDM version is 7.2 or later. FDM version should be always equal or less than the FMC version. For optimal migration time, improved software quality and stability, use the suggested release for your FTD and FMC. Refer to the gold star on CCO for the suggested release.

You can check the documentation and all requirements of the FMT on right pane on the screen in the FMT tool after selecting FDM from the drop down list on the left.

That would be regarding the version in order for FMT to work.

@00uv4hyt1ZlDrrQyK5d6 regarding the APIs, yes I was able to do all of that. You need to check the API Explorer in both the FDM and FMC, it will show you all possible APIs that can be used on the device. Everything is well documented and easy to understand with examples.

You can also find a lot of youtube videos from Cisco DevOps showing how to use APIs for various tasks.

The challenging part would be modifying the format of the output from the first device to become compatible with the second.

I had to be creative converting json to excel or using notepad++ to modify data in bulk in the json file.