Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
2
Helpful
3
Replies

FMC 1000 to HA FMC 1600: Upgrade Strategy & CUFA to ISE-PIC Migration

Go to solution
haroungh
Level 1
Level 1

‎03-05-2025 08:10 AM - edited ‎03-05-2025 10:21 AM

Hi Dears,

I’m currently managing a Cisco FMC 1000 running version 6.6.4, which oversees 6 Cisco Firepower 2110 firewalls (also on 6.6.4) in an active-standby setup.

I’m planning to:

  1. Replace the existing FMC 1000 with two FMC 1600 in a high-availability (HA) configuration.
  2. Upgrade both the FMC and firewalls to the recommended version 7.4.2.
  3. Replace CFUA with Cisco ISE-PIC for user identity services.

I’d appreciate any best practices, recommendations, or lessons learned from those who have performed similar migrations. Specifically, I’d like guidance on:

  • The smoothest approach to setting up FMC HA while minimizing disruption.
  • Best upgrade path for the firewalls to 7.4.2.
  • Considerations when transitioning from CUFA to ISE-PIC.

Thanks in advance for your support .

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to haroungh

‎03-05-2025 10:49 PM

CFUA is not really a migration per se. The new version of FMC will not have any feature to enable CFUA. Instead, you just create a new integration for your ISE-PIC.

It has no relation to anything that was setup in CFUA except for the fact that it does the same job - provide username to IP address mapping to FMC for visibility and (optionally) use in policy enforcement when integrated with an AD or LDAP realm.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-05-2025 09:49 AM

Plot out a compatibility course following the information here: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/compatibility/management-center-compatibility.html#id_37880

Depending on what it shipped with, you may need to reimage the FMC 1600 since 6.6.4 devices can only be managed with FMC 7.2.x or lower.

We would follow the FMC model migration guide detailed here: https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/m_fmc_migration_workflow.html

As always, we first upgrade FMC (subject to the compatibility matrix) and then managed devices.

Your 6.6 devices would have to go to 7.2 first and then to 7.4.1. Finally, you can patch to 7.4.2.2 (current latest release for the 2110s).

I would wait until the end to make your FMC HA as that will be quickest overall.

Once FMC and the firewalls are upgraded, you can install and integrate ISE-PIC. Make sure it is getting good identity information before integrating it into FMC.

Go to solution
haroungh
Level 1
Level 1

‎03-05-2025 10:29 AM

Dear @Marvin Rhoads ,

Thanks very much , What’s the update on the CFUA migration to ISE-PIC? When is it expected to be done?

CFUA is already end-of-life and no longer supported.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to haroungh

‎03-05-2025 10:49 PM

CFUA is not really a migration per se. The new version of FMC will not have any feature to enable CFUA. Instead, you just create a new integration for your ISE-PIC.

It has no relation to anything that was setup in CFUA except for the fact that it does the same job - provide username to IP address mapping to FMC for visibility and (optionally) use in policy enforcement when integrated with an AD or LDAP realm.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card