FTD 4100 to 4200 migration in FMC

ben.levin1 · ‎06-03-2025

Hi all. I'm trying to migrate an FMC-managed FTD 4125 HA pair to a pair of FTD 4215s. FMC and all of the FTDs are running 7.4.2.1.

Is there any way to migrate the FTD interfaces, routing, etc over to the 4215s? I talked to the TAC and they told me to use the migration wizard in FMC. However, this only seems to support 1100s and 2100s to 3100s, and when we run the wizard, the 4125s don't show up. I was also going to try to use the push config option but that gives me an error that the models and interfaces don't match.

If there's no way to do this, we're going to have to do it manually, which would be time consuming.

Thanks.

Marvin Rhoads · ‎06-03-2025

4100 series model migration will be introduced in the next major release of FMC this fall (target ca. September-October).

For now, the device configuration would need to be manually configured. ACP, NAT, VPN etc. can just be added to the new devices once that first part is done.

ben.levin1 · ‎06-05-2025

Thanks for the info!

m-webster · ‎07-16-2025

Marvin, is this release still coming in September / October? If you could post any links about this release here, that would be great.

KR

M

m-webster · ‎07-16-2025

for reference, I need the migration tool to migrate from 4120 to 4125.

Thanks

Marvin Rhoads · ‎07-16-2025

@m-webster 4120 to 4125 will not be a natively supported migration path. You would have to build the device configuration fresh for the 4125 and then assign the ACP, NAT, platform policies to the new 4125. Any VPN (S2S and RA) would likewise need to be reconfigured in FMC to point to the new firewall.

More details will be posted when the new release comes out - currently still projected for September / October 2025 but subject to change by Cisco.

m-webster · ‎07-16-2025

Another Q that has come up, can you build the new FTD config on FMC without de registering the old kit? It has come to light that FMC may not like 2 devices (not a HA pair) having the same interface IPs.

Thanks,

Mitch.

Marvin Rhoads · ‎07-17-2025

As long as you are using the management interface for registration and have unique IPs there, you can build the new FTD(s) using the exact same config as the old one(s).

m-webster · ‎07-17-2025

Thanks Marvin

wimorton · ‎09-09-2025

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/threat-defense/b_secure-firewall-threat-defense-model-migration-761.html

AhmadAmro · ‎10-11-2025

I am attempting to migrate from an existing FTD 4120 (running version 7.2.10) to a new FTD 4215 (running version 7.4.2). My primary method for this migration is using the "Migrate Threat Defense Devices" feature within Cisco Secure Firewall Management Center (FMC 7.6.2). However, each attempt to perform the migration results in the following error message:
"Threat Defense Model Migration Migration from PL-HQ-FTD-HA cannot proceed because of an internal error. Contact Cisco TAC."

I have already opened a case with Cisco TAC regarding this "internal error," but I'm looking for community insights or similar experiences while awaiting their definitive solution. Migration Tool Failure: The core issue is the persistent "internal error" when using the official migration tool. CLI Restrictions on 7.4.2: Due to increased CLI restrictions in FTD 7.4.2, manually configuring interfaces, routes, and other network settings on the new 4215 directly via the command line is significantly hindered compared to previous versions. This makes a manual configuration approach very difficult.

> system support diagnostic-cli
> enable
Password:
# conf terminal

ERROR: % Invalid input detected at '^' marker.

Marvin Rhoads · ‎10-13-2025

@AhmadAmro is your FMC at 7.6.2? It was only with FMC 7.6 that 4100 series was added as a source device type (and 4200 series as a target). Is your 4215 a native or multi-instance type configuration? H ave you considered running it with the current suggested release (7.6.2.1)?

The cli restrictions regarding manual configuration have been present with all versions of FTD ever, whether locally-managed or FMC-managed.

AhmadAmro · ‎11-02-2025

@Marvin Rhoads

Is your FMC at 7.6.2? FMC version 7.6.2

Is your 4215 a native or multi-instance type configuration? Native

Have you considered running it with the current suggested release (7.6.2.1)? no current version 7.6.2

The cli restrictions regarding manual configuration have been present with all versions of FTD ever, whether locally-managed or FMC-managed.

Marvin Rhoads · ‎11-03-2025

@AhmadAmro I notice your source appears to be an HA pair. Is your target also already configured as HA?

Assuming you have met all the other prerequisites (link below), then you are best off working with your TAC engineer to resolve the issue. Do please let us know the eventual resolution.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/threat-defense/b_secure-firewall-threat-defense-model-migration-761.html#limitations-for-secure-firewall-threat-defense-model-migration

AhmadAmro · ‎11-03-2025

Hello @Marvin Rhoads I’ve completed the upgrade to version 7.6.2.1, but unfortunately, I’m still encountering the same error.

Regarding the prerequisites:

I don’t have a multi-instance setup.
The source is configured as HA.
I had reviewed the prerequisites beforehand and didn’t find any additional steps required in this scenario.

It also seems that TAC support is not very familiar with the migration process—they appear to be troubleshooting it the same way I am