Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1439
Views
5
Helpful
5
Replies

FTD integration guide

Go to solution
ethutchinson
Level 1
Level 1

‎09-14-2021 07:55 AM

Would anybody know if there is a "General" integration/migration guide for replacing ASAs with FTDs?

 

Thanks in Advance

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
cybergeezer
Cisco Employee
Cisco Employee

‎09-14-2021 09:05 AM

Greetings,

 

This guide is very helpful: "Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool"

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/b_Migration_Guide_ASA2FTD_chapter_0111.html

 

Read the section which does an example walk through of an ASA to FTD 2100 migration "Migrating ASA to Firepower Threat Defense 2100 - An Example"

The migration tool itself is only as good as the configuration of the ASA it's migrating from.  Most of my customers are extremely skittish about removing any access lines, but the migration is an opportunity to get rid of all those unused configurations.

 

In my experience if you over plan the migration it tends to go much smoother than doing it on the fly.  Good luck and I hope this helps.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ethutchinson

‎09-14-2021 01:24 PM

1. I prefer to migrate the configuration to a staged FTD with the interfaces shutdown or disconnected. That's the most accurate and full-featured scenario.

2. Migrate only the active ASA firewall to FTD. The HA bits are not supported by the migration tool so you will add the second unit manually in FMC and setup the failover interface etc. there. Once the new pair of FTD appliances is joined in an HA pair, all of the bits you migrated from the ASA will synchronize.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
cybergeezer
Cisco Employee
Cisco Employee

‎09-14-2021 09:05 AM

Greetings,

 

This guide is very helpful: "Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool"

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/b_Migration_Guide_ASA2FTD_chapter_0111.html

 

Read the section which does an example walk through of an ASA to FTD 2100 migration "Migrating ASA to Firepower Threat Defense 2100 - An Example"

The migration tool itself is only as good as the configuration of the ASA it's migrating from.  Most of my customers are extremely skittish about removing any access lines, but the migration is an opportunity to get rid of all those unused configurations.

 

In my experience if you over plan the migration it tends to go much smoother than doing it on the fly.  Good luck and I hope this helps.

0 Helpful

Go to solution
ethutchinson
Level 1
Level 1
In response to cybergeezer

‎09-14-2021 09:56 AM


Thanks cybergeezer,

 I do use Firepower Services with my ASA 5515x's so I downloaded the guide for that. But thanks for the direction. I have a couple more questions.

1.) Since we are already using an FMC (Virtual) can I migrate my ASA 5515x config to the production FMC even if I dont have my FTDs powered up yet? Or should I power up the FTDs and give them testing IP addresses and connect them to the FMC first.

2.) Since my Firewalls are in Active/Standby failover should I setup the failover wiring on the FTDs first as well?  

 

Thanks

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ethutchinson

‎09-14-2021 01:24 PM

1. I prefer to migrate the configuration to a staged FTD with the interfaces shutdown or disconnected. That's the most accurate and full-featured scenario.

2. Migrate only the active ASA firewall to FTD. The HA bits are not supported by the migration tool so you will add the second unit manually in FMC and setup the failover interface etc. there. Once the new pair of FTD appliances is joined in an HA pair, all of the bits you migrated from the ASA will synchronize.

0 Helpful

Go to solution
ethutchinson
Level 1
Level 1
In response to Marvin Rhoads

‎09-14-2021 01:43 PM

Thanks Marvin,

 

1. I prefer to migrate the configuration to a staged FTD with the interfaces shutdown or disconnected. That's the most accurate and full-featured scenario.

So I should spin up both of my FTDs, (with alternate IP addresses) and get them registered in the FMC? I know I am only going to migrate my active ASA to the FTD as stated below.

2. Migrate only the active ASA firewall to FTD. The HA bits are not supported by the migration tool so you will add the second unit manually in FMC and setup the failover interface etc. there. Once the new pair of FTD appliances is joined in an HA pair, all of the bits you migrated from the ASA will synchronize.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card