Solved: FMC100 migration to FMCv

Sheraz.Salim · ‎09-17-2024

@Marvin Rhoads kindl please suggest if my approach is right as the cisco documention is overwhelming. what I read from your post replies and other this is the right process from FMC1000 migration to FMCv

• 1 Deploy new FMCv in virtual environment
• 2 Provision new FMCv with different IP initially, and perform initial setup, licensing and bring up to the same version and patch level
• 3 On FMCv run script "/var/sf/etc/model-info/configure-model.sh" and set it to FMC 1000
• 4 On FMC 1000, break the HA pair and perform Management backup and download it to local PC.
• 5 Shut down FMC 1000 (incase in order to powerup someone need to be in DC/shutdown the interface of FMC from ACI leaf swtich)
• 6 Update FMCv IP address to the IP address previously used by FMC 1000 by using script "/usr/local/sf/bin/configure-network"
• 7 Perform actual restore on FMCv using backup from FMC 1000.
• 8 Revert FMCv model using "/var/sf/etc/model-info/configure-model.sh"
• 9 FMCv form HA pair

I have few more question. will the resoter backup file also backup the SNMP (SNMP configured for FTDs) /reports setting/NTP/FMC users via AD etc? Do i need to download the backfile of FMC backup or FTD back from FMC. or Shall i do both backup and restore it to new fmcv.

My understanding is right if the FMCv goes wrong I shall always revert my change to FMC1000. Doing this will not impact the FTD either. persume I am only touching the managment plane.

Note: The production FMC is running version 7.0.3. Ftd version are 7.03 and another FTD version running 6.6.5.2. This FTD 6.6 we are not able to upgrade due to DH values are depcrated in newer version.

please do not forget to rate.

Marvin Rhoads · ‎09-17-2024

@Sheraz.Salim I would adjust the approach slightly based on my recent success doing just this. See my comments inline below:

1 Deploy new FMCv in virtual environment Confirmed
• 2 Provision new FMCv with different IP initially, and perform initial setup, licensing and bring up to the same version and patch level Confirmed
• 3 On FMCv run script "/var/sf/etc/model-info/configure-model.sh" and set it to FMC 1000 I would set the model to FMC 1600 or similar model supported by the model migration tool / script which I prefer to use. https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/about_fmc_model_migration.html#id_111597
• 4 On FMC 1000, break the HA pair and perform Management backup and download it to local PC. When you break HA, you will be asked which FMC you want to have the target devices continue to use - choose the Primary FMC. After HA is removed and all confirmed healthy, then get a fresh backup.
• 5 Shut down FMC 1000 (incase in order to powerup someone need to be in DC/shutdown the interface of FMC from ACI leaf swtich) Confirmed, Alternatively , just shutdown the interface at the switch is is connected to.
• 6 Update FMCv IP address to the IP address previously used by FMC 1000 by using script "/usr/local/sf/bin/configure-network" Not needed - see #7.
• 7 Perform actual restore on FMCv using backup from FMC 1000. Restore by using the model migration tool mentioned above. That will include updating the IP to match the source FMC 1000 and all the settings you mention below.
• 8 Revert FMCv model using "/var/sf/etc/model-info/configure-model.sh" Confirmed, check for all devices heartbeats being received and no deployment pending.
• 9 FMCv form HA pair Confirmed.

I have few more question. will the resoter backup file also backup the SNMP (SNMP configured for FTDs) /reports setting/NTP/FMC users via AD etc? Do i need to download the backfile of FMC backup or FTD back from FMC. or Shall i do both backup and restore it to new fmcv. Not needed - see #7.

My understanding is right if the FMCv goes wrong I shall always revert my change to FMC1000. Doing this will not impact the FTD either. persume I am only touching the managment plane. Confirmed - although you would have to rebuild HA to revert 100%. For the HA use case, I typically avoid it since my personal position is that is is better to have a solid off-device backup and restore plan for a single FMCv. HA adds complexity and makes upgrading more difficult with minimal operational advantage.

View solution in original post

Sheraz.Salim · ‎09-18-2024

@Marvin Rhoads Thank you for getting back to me. coming to point number 3. " I would set the model to FMC 1600 or similar model supported by the model migration tool / script which I prefer to use. https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/about_fmc_model_migration.html#id_111597"

In my case, I am using the FMCv25 virtual model. Therefore, my migration path would be from FMC1000 to FMCv25. However, when reviewing the matrix table you provided, I do not see a migration path from FMC1000 to FMCv25. Should I assume that migrating from FMC1600 would work? My assumption right as the FMC1000 gone EOL/EOS therefore the matrix table does not provide this model? Please note, both my current FMC version and the target FMCv25 will be running software version 7.0.3.

I would appreciate your prompt response

sheraz.

please do not forget to rate.

View solution in original post

Marvin Rhoads · ‎09-18-2024

@Sheraz.Salim You fool the tool into thinking your FMCv25 is actually an FMC1600 so that it will pass the migration tool script's built-in check. (The tool supports FMC1000 to FMC1600 path.)

Then, once it migrates, switch it the FMCv25 back to the proper model number. (It's just a variable in a text file but using the script ensures the correct variable is placed, correct file permissions are retained etc.)

View solution in original post

balaji.bandi · ‎09-17-2024

I have recently used below document and Migrated OLD FMC to new FMC :

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/m_fmc_migration_workflow.html#id_112763

My couple of tips, what i did, I planeed for Target version hardware resournce example 7.2 or above.

If this HA Pause the HA, make sure check the compatability matrix with FTD also.

Install same version of FMC which running as Production in Virtual environment and Migrate the configuration and upgrade to Target version on new Virtual FMC.

Do not make any changes make a Freeze of any changes on FMC until you totally Migrate to new FMC and push test Policy registering the FTD to new FMC.

As Long as you are not make any changes, your Data traffic not have any interuption of Services.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎09-17-2024

@Sheraz.Salim I would adjust the approach slightly based on my recent success doing just this. See my comments inline below:

1 Deploy new FMCv in virtual environment Confirmed
• 2 Provision new FMCv with different IP initially, and perform initial setup, licensing and bring up to the same version and patch level Confirmed
• 3 On FMCv run script "/var/sf/etc/model-info/configure-model.sh" and set it to FMC 1000 I would set the model to FMC 1600 or similar model supported by the model migration tool / script which I prefer to use. https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/about_fmc_model_migration.html#id_111597
• 4 On FMC 1000, break the HA pair and perform Management backup and download it to local PC. When you break HA, you will be asked which FMC you want to have the target devices continue to use - choose the Primary FMC. After HA is removed and all confirmed healthy, then get a fresh backup.
• 5 Shut down FMC 1000 (incase in order to powerup someone need to be in DC/shutdown the interface of FMC from ACI leaf swtich) Confirmed, Alternatively , just shutdown the interface at the switch is is connected to.
• 6 Update FMCv IP address to the IP address previously used by FMC 1000 by using script "/usr/local/sf/bin/configure-network" Not needed - see #7.
• 7 Perform actual restore on FMCv using backup from FMC 1000. Restore by using the model migration tool mentioned above. That will include updating the IP to match the source FMC 1000 and all the settings you mention below.
• 8 Revert FMCv model using "/var/sf/etc/model-info/configure-model.sh" Confirmed, check for all devices heartbeats being received and no deployment pending.
• 9 FMCv form HA pair Confirmed.

I have few more question. will the resoter backup file also backup the SNMP (SNMP configured for FTDs) /reports setting/NTP/FMC users via AD etc? Do i need to download the backfile of FMC backup or FTD back from FMC. or Shall i do both backup and restore it to new fmcv. Not needed - see #7.

My understanding is right if the FMCv goes wrong I shall always revert my change to FMC1000. Doing this will not impact the FTD either. persume I am only touching the managment plane. Confirmed - although you would have to rebuild HA to revert 100%. For the HA use case, I typically avoid it since my personal position is that is is better to have a solid off-device backup and restore plan for a single FMCv. HA adds complexity and makes upgrading more difficult with minimal operational advantage.

Sheraz.Salim · ‎09-18-2024

@Marvin Rhoads Thank you for getting back to me. coming to point number 3. " I would set the model to FMC 1600 or similar model supported by the model migration tool / script which I prefer to use. https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/about_fmc_model_migration.html#id_111597"

In my case, I am using the FMCv25 virtual model. Therefore, my migration path would be from FMC1000 to FMCv25. However, when reviewing the matrix table you provided, I do not see a migration path from FMC1000 to FMCv25. Should I assume that migrating from FMC1600 would work? My assumption right as the FMC1000 gone EOL/EOS therefore the matrix table does not provide this model? Please note, both my current FMC version and the target FMCv25 will be running software version 7.0.3.

I would appreciate your prompt response

sheraz.

please do not forget to rate.

Marvin Rhoads · ‎09-18-2024

@Sheraz.Salim You fool the tool into thinking your FMCv25 is actually an FMC1600 so that it will pass the migration tool script's built-in check. (The tool supports FMC1000 to FMC1600 path.)

Then, once it migrates, switch it the FMCv25 back to the proper model number. (It's just a variable in a text file but using the script ensures the correct variable is placed, correct file permissions are retained etc.)

Sheraz.Salim · ‎09-21-2024

@Marvin Rhoads Thank you for your input as always you are very helful.

please do not forget to rate.