cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1448
Views
15
Helpful
15
Replies

FMC Version Suggestions for Upgrade

rsharp001
Level 1
Level 1

Hi all -

I am beginning a project to migrate from 6.6.5, that is controlling an old AMP8150 and a pair of FTD1100s.  The Migration is away from the 8150 and a pair of ASA5500 to the Secure Firewall 3100 series, I have been reading the documentation I'll have to stand up a FMC 7.1 or above to control the new units (they shipped with 7.1 installed).  My understanding is that the older unit cannot be managed by a version above 6.6.5 so I'm looking at running 2 FMCs during the process.  I want to migrate my objects and current rules to minimize some of the hand configuration, I plan to run a test import of the current backup.  Eventually I will move the 1100s over to the new install, but that will be planned for after since it'll have some downtime.

- I'm looking to see what version of FMC you all are using 7.1 or 2?

- Any landmines you all may have stepped on that I could avoid?

- Better way you all may have done this?

Thank you!

 

1 Accepted Solution

Accepted Solutions

@rsharp001 I have used the FMC model migration script along with the configure-model.sh script to fool it into allowing migration paths that are not directly allowed in the first script (i.e. same-same model). It uses a backup file as its input and brings over EVERYTHING. IP address, host name, etc. If you want to keep both online, then just change back the address of the new one after running the script.

To add the HA pair on the new FMC, it will already know about them from the restore operation. The devices themselves will need a configure manager delete / add cycle to make them sync up with the new FMC.

Regarding the timing of 7.0.4, the release notes' published bugs for 7.0.3 is not complete - it only includes public-facing bugs. So 7.0.4 will cover more than just the open caveats publicly listed for 7.0.3

View solution in original post

15 Replies 15

balaji.bandi
Hall of Fame
Hall of Fame

FMC 7.1 is a good go, if you looking to 7.2 look at release notes and caveats.

i suggest offline build in parallel with exiting setup and test if you can offline all rules are migrated as expected. some offline testing. and making small downtime window to cutover to new environment is best option I see.

also make sure to keep the old kit still live and not connected, in case required to fallback plan.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads
Hall of Fame
Hall of Fame

 7.2 will be a longer term release than 7.1. Of course 7.1 is the minimum required for Firepower 3100. Personally I would go with FMC 7.2 and 7.2 on the 3100 as well. I'm not running 7.2 on any firewalls yet but have it on a couple of FMCs without any problem. As far as Gold Star, it will likely be moved to 7.0.4 (out very soon but a moot point for your situation) and then eventually move next to 7.2.x.

You cannot restore an older backup onto a new system. You could restore onto a freshly built FMC 6.6.5 and then upgrade it to 7.1/7.2 directly.

@Marvin Rhoads 

Do you know why 7.0.4 will be relesed only few weeks after 7.0.3 despite 7.0.3, according to bug tool doesn't have any relevant but?

we hit bug in 7.0.3 where the deployment the the FTD/Sensors keep failing the bug ID CSCwc34590.

 

 

please do not forget to rate.

@Sheraz.Salim the link you provided is Cisco-internal. The public link is https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc34590

Hey Marvin. hope you doing well. Oh did not notice that. Thank you for this. I was just with TAC today I asked them when the 7.0.4 is due. they could not answer this    Do you have any idea when its due to release?

please do not forget to rate.

Hi @Sheraz.Salim. A TAC engineer told me earlier this week to expect 7.0.4 on 10 August 2022. I have a customer with whom I'm hitting a bug that should be fixed in 7.0.4 so I'm hoping he's right.

As with all Cisco dates, I will believe it only after it appears on the downloads page.

Thank you Marvin.  On a restore, does it bring all the underlying OS settings over, like IP/hostname, or is it just going to be the application settings?

When moving the 1100 boxes, 2 in HA, can I simply just point them at the new manager from the CLI or am I going to need to break their HA and migrate individual and then rebuild?  Downtime will be scheduled either way, more curious if I must go a longer route or if there is an easy button.

routing tables (For example if you using static routes) They do not push in deployment from the restore backup. you have to manually define again the static routes and push the police. if you use Cert for vpn or for anyconnect or site-to-site. Just export the identity certificate and manually restore the identity cert in a fresh install FTD. rest object object group acl all good.

You still need to add your FTD (new one) in NAT section and on the platform setting doing this it will save your time.

please do not forget to rate.

@rsharp001 I have used the FMC model migration script along with the configure-model.sh script to fool it into allowing migration paths that are not directly allowed in the first script (i.e. same-same model). It uses a backup file as its input and brings over EVERYTHING. IP address, host name, etc. If you want to keep both online, then just change back the address of the new one after running the script.

To add the HA pair on the new FMC, it will already know about them from the restore operation. The devices themselves will need a configure manager delete / add cycle to make them sync up with the new FMC.

Regarding the timing of 7.0.4, the release notes' published bugs for 7.0.3 is not complete - it only includes public-facing bugs. So 7.0.4 will cover more than just the open caveats publicly listed for 7.0.3

"Regarding the timing of 7.0.4, the release notes' published bugs for 7.0.3 is not complete - it only includes public-facing bugs. So 7.0.4 will cover more than just the open caveats publicly listed for 7.0.3"

That's very annoying, apart from cisco hiding the most dangerous bugs to its customers, which is by itself a very bad habit, many bugs appear to be related to a wrong or incomplete list of releases/devices in bug tool.

How can a poor engineer be safe to upgrade his deployments?

@Marvin RhoadsIs it safe to assume this will work for migrating the FMCv as well?  I just downloaded the 6.6.5 tar and will be installing fresh, importing the backup, then upgrading.  I'm not married to the IP address, more concerned with bringing over the rules, objects, settings, and hopefully just changing the management of the 2 1100 devices.

@rsharp001 yes that will work for FMCv

Review Cisco Networking for a $25 gift card