Does anyone have a tested, validated, and trustworthy migration procedure to convert an FDM-managed FTD appliance to being managed by FMC?
My FMCv is located in AWS. FTD doesn't support management over VPN easily, if at all. I can only manage my FTD devices from their external interface from specific source IPs.
I have a set of deployed FTD devices in London up and running, managed only by FDM. I need to move the management over to FMCv, but based on previous experiences with FTD, I simply do not trust that these devices won't fail and cause significant on-site tech-support to recover.
Also, if the management transfer fails, is there any reason I should not be able to still access FDM from the external interface (since you cannot make local changes outside 'Lina')?
There's not currently any Cisco tool or procedure for moving a device configuration from FDM-managed to FMC-managed.
Have you looked into CDO? It can manage multiple FTD devices via their public interface if you use token-based onboarding (6.4 or later) - everything is encrypted in transit via TLS 1.2 as well as at rest. You also get the advantage of object sharing, comparing for inconsistencies, etc.
Yes, I've been trying to test-drive CDO for 4 months now. I'm not kidding when I say, it seems nobody at Cisco understands how to set this up for me. I've gained access to the CDO Okta portal, but never can get beyond that without going into a fruitless "request access" loop between the portal and the Cisco CDO agents. Nobody seems to have been trained on any of it, and the agents take well over a week to get back to me at times.
I'd also like to add, the "support" link in the CDO welcome portal connects to a mailbox that is no longer monitored. This scares me as a customer, because if that doesn't work, what other major details of CDO have been overlooked?
I've found it to be pretty stable and useful. But I have the advantage of being in a beta program and thus have the ear of the beta manager who has access to the developers for the harder questions.
Are you unable to onboard any devices?
Hi Brian: Appreciate the patience and per our discussion this AM you are now in CDO. If you run into an issue again, please send a note to email@example.com and I will get it addressed for you. Note you can also launch support direct from CDO by going to the "?" in top right of page and hitting support.
CDO - Business Development Manager
Cisco Defense Orchestrator