Solved: FMC migration questions

antonioyan99 · ‎07-27-2023

Hi Cisco Firepower experts,

I am preparing a FMC migration from old 1000 model to 1600 model. Got 2 questions.

1. Can the target FMC use a different MGMT IP other then the existing one?

2, The FMC is sending logs to SIEM, during the cutover, would the event log be lost for a few minutes? or the FTD will keep the log locally, and once the FTD re-establishes communication with FMC, the logs will then be sent out, so technically no log will be missed on the SIME side?

Thanks

Marvin Rhoads · ‎07-27-2023

1. Technically yes, but you don't want to go there since it makes the work 10x as much. Model migration is designed to keep the same IP on the new FMC.

2. FTD will retain events locally in queue if they are destined for FMC. However syslog events from FTD devices are generally sent out directly via UDP and not queued. Syslog from FMC based on incoming FTD events follow that model. eStreamer is tcp based and will drain the queue once the events start coming in again.

View solution in original post

Marvin Rhoads · ‎07-27-2023

1. Technically yes, but you don't want to go there since it makes the work 10x as much. Model migration is designed to keep the same IP on the new FMC.

2. FTD will retain events locally in queue if they are destined for FMC. However syslog events from FTD devices are generally sent out directly via UDP and not queued. Syslog from FMC based on incoming FTD events follow that model. eStreamer is tcp based and will drain the queue once the events start coming in again.