Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
449
Views
0
Helpful
3
Replies

FTD impact of migrating FMC from VMWare to AWS

szymonsikorski
Level 1
Level 1

‎04-15-2025 01:20 PM - edited ‎04-15-2025 01:21 PM

Hey,

We have a production FMC running in VMWare that needs migrating to AWS. Having looked through a bunch of docos and peoples posts on this community and Reddit, it seems migrating FMC is just as painful as the actual product itself. As far as I could find I have three option:
1) Import and export - Not suitable as doesn't export objects, certificates, remote access config and much more.
2) Backup restore - apparently only to be used for disaster recovery and doesn't work cross model (VMWare and AWS are different models)
3) Model migration script - Doesn't support migrating from VMWare to AWS

As none of the above seemed suitable for our use case, I searched the web and seen that people said tricking an FMC to think its a different model allows to restore from backup so I didnt he following:

1) Deployed FMC on AWS
2) Blocked it from talking to the FTDs on the management port as to avoid any issues with having 2 FMCs online
3) Ran the '/var/sf/etc/model-info/configure-model.sh' script and tricked the AWS model to think its VMWare model.
4) Backed up the production VMWare FMC
5) Uploaded the WMware FMC backup to the AWS FMC which thinks its VMWare
6) Restored AWS FMC from backup
7) Changed the AWS FMC back to AWS model by running the script again
Changed the AWS FMC back to its AWS allocated IP address instead of the one restored from backup

I don't have much experience with FTD and FMC so I'm not sure what happens when I allow the AWS FMC to talk to the FTDs and shut down the VMWare one. It's technically been restored from backup but obviously I messed around with the models and on top of that the FMC has a different IP address (unfortunately it has to). I'm wondering if anybody has done a similar thing and noticed if they need to reregister the firewall or whether there was any downtime observed.

Our FMC version is 7.2.5

Any help would be hugely appriciated!

0 Helpful
3 Replies 3

ahollifield
VIP
VIP

‎04-16-2025 06:37 AM

Why 7.2 and not 7.4 or 7.6? Also yes, there are ways to "hack" the migration scripts. Just note they have no support from Cisco.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-21-2025 08:11 AM

I did this about 2 years ago when moving from an op-premise FMC 4500 to an AWS FMCv300. In my case we removed the device from the on-prem FMC and registered it anew on the AWS instance and restored a device backup. It may have been a bit more than necessary, but we wanted to make doubly sure that nothing was missed as we were moving over about 50 production firewalls.

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni

‎04-21-2025 11:15 AM

Please consider following the advice of @Marvin Rhoads. He has assisted many, including myself, with the migration of the FMC100 and brings valuable expertise to this community.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card