Solved: Re: FMC Migration Tool

Azlan.my07 · ‎07-04-2022

Helo everyone,

Anyone has experience with FMC migration tool? or anyone else any idea my question below.

I have a question about the migration tool, does it fully migrate policy and sensor settings? instead of simply migrate the event, logs, and platform configuration?

Another question could this migration tool migrate from my device 6.4 to 6.6?

Thanks

Marvin Rhoads · ‎07-04-2022

Are you asking about the FMC Model migration tool or the FTD Migration Tool?

The former migrates EVERYTHING from an old FMC to a new one. Source and target versions must be the same. Upgrade is a separate action that is handled via the standard system update process.

The FTD Migration Tool migrates an older ASA (or some third party platforms such as Checkpoint or Palo Alto) configuration to a new FTD device managed by an existing FMC. If also does not do upgrades, it only moves all of the eligible policy and configuration elements to the new device managed by FMC.

View solution in original post

balaji.bandi · ‎07-04-2022

check the Migration guide with limitration :

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/b_Migration_Guide_ASA2FTD_chapter_0111.html

Most of the Migration, we look forward the configuration to be exported to new device, rest all we ignore (since we looking working case here, Logs are different format, so that will be challange.)

migration tool migrate from my device 6.4 to 6.6?

You can do code upgrade here, not migration tool.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎07-04-2022

Are you asking about the FMC Model migration tool or the FTD Migration Tool?

The former migrates EVERYTHING from an old FMC to a new one. Source and target versions must be the same. Upgrade is a separate action that is handled via the standard system update process.

The FTD Migration Tool migrates an older ASA (or some third party platforms such as Checkpoint or Palo Alto) configuration to a new FTD device managed by an existing FMC. If also does not do upgrades, it only moves all of the eligible policy and configuration elements to the new device managed by FMC.

Azlan.my07 · ‎07-05-2022

Hi @Marvin Rhoads Thank you for your response. I'm referring to FMC Model, not FTD or ASA.

So in my case, I need to upgrade old source device and start using migration tool.

Marvin Rhoads · ‎07-06-2022

You're welcome.

Note the source and target must be identical in version, patch, VDB and SRU.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/migrate_your_fmc.html#id_111621

Azlan.my07 · ‎07-06-2022

Another question, Marvin, is there another way to migrate without using migration tools? 6.4.0.x is the current version, while 6.6.5.x is the new appliance.

Backup and restore method?

Marvin Rhoads · ‎07-07-2022

The model migration tool is a backup and restore under the covers with a few commands added in to allow the destination FMC to be a different model than the source.

Even a straight backup and restore from the GUI requires the restore be onto the same version patch etc.

Azlan.my07 · ‎07-07-2022

Noted, I have another question, are there any major changes or impacts to upgrading from 6.4.x to 6.6.x that I need to aware and I need to check to avoid any missing policy, configuration, etc? I checked the release notes, but I really just want your opinion.

Marvin Rhoads · ‎07-08-2022

@Azlan.my07 the main thing to be sure of is that your managed devices aren't running too old of a version to be managed by FMC 6.6.x. For 6.6.x, it can manage devices as far back as 6.2.3.

Generally speaking I would recommend upgrade to 7.0.3 (as of now). It will be more stable and have more features than 6.x. 7.0.x can manage as far back as 6.4.0.

Azlan.my07 · ‎07-08-2022

Noted Marvin, as for now all sensor run 6.4.x.

Yes, I noticed that the suggested version of FMC gold star is 7.0.3.

Thank you for your feedback and advice, Marvin. Thank you very much.

Azlan.my07 · ‎07-19-2022

Helo Marvin, Apologize, I have another question since this is still related with the migration.

I have question about licensing. We plan to migrate a few sensors before proceeding with the others. My question is, can I reassign the device's license to a new FMC without deregistering all of the licenses and having an affect on the current old FMC?

How about classic license to migrate to new FMC? we have Firepower 7000 & 8000 series

Marvin Rhoads · ‎07-19-2022

Both FMCs can be registered to the Smart license portal for the purpose of checking out and allocating feature licenses for the sensors they manage. For classic-licensed devices like the older Firepower appliances you need to rehost those licenses one by one. I'm not sure if they've enabled that in the classic license LRP or if you have to open a TAC case to have them rehosted to your new FMC.