09-14-2021 07:55 AM
Would anybody know if there is a "General" integration/migration guide for replacing ASAs with FTDs?
Thanks in Advance
Solved! Go to Solution.
09-14-2021 09:05 AM
Greetings,
This guide is very helpful: "Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool"
Read the section which does an example walk through of an ASA to FTD 2100 migration "Migrating ASA to Firepower Threat Defense 2100 - An Example"
The migration tool itself is only as good as the configuration of the ASA it's migrating from. Most of my customers are extremely skittish about removing any access lines, but the migration is an opportunity to get rid of all those unused configurations.
In my experience if you over plan the migration it tends to go much smoother than doing it on the fly. Good luck and I hope this helps.
09-14-2021 01:24 PM
1. I prefer to migrate the configuration to a staged FTD with the interfaces shutdown or disconnected. That's the most accurate and full-featured scenario.
2. Migrate only the active ASA firewall to FTD. The HA bits are not supported by the migration tool so you will add the second unit manually in FMC and setup the failover interface etc. there. Once the new pair of FTD appliances is joined in an HA pair, all of the bits you migrated from the ASA will synchronize.
09-14-2021 09:01 AM
Hope this help you : ( there is Migration tool ASA to FTD).
09-14-2021 09:05 AM
Greetings,
This guide is very helpful: "Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool"
Read the section which does an example walk through of an ASA to FTD 2100 migration "Migrating ASA to Firepower Threat Defense 2100 - An Example"
The migration tool itself is only as good as the configuration of the ASA it's migrating from. Most of my customers are extremely skittish about removing any access lines, but the migration is an opportunity to get rid of all those unused configurations.
In my experience if you over plan the migration it tends to go much smoother than doing it on the fly. Good luck and I hope this helps.
09-14-2021 09:56 AM
Thanks cybergeezer,
I do use Firepower Services with my ASA 5515x's so I downloaded the guide for that. But thanks for the direction. I have a couple more questions.
1.) Since we are already using an FMC (Virtual) can I migrate my ASA 5515x config to the production FMC even if I dont have my FTDs powered up yet? Or should I power up the FTDs and give them testing IP addresses and connect them to the FMC first.
2.) Since my Firewalls are in Active/Standby failover should I setup the failover wiring on the FTDs first as well?
Thanks
09-14-2021 01:24 PM
1. I prefer to migrate the configuration to a staged FTD with the interfaces shutdown or disconnected. That's the most accurate and full-featured scenario.
2. Migrate only the active ASA firewall to FTD. The HA bits are not supported by the migration tool so you will add the second unit manually in FMC and setup the failover interface etc. there. Once the new pair of FTD appliances is joined in an HA pair, all of the bits you migrated from the ASA will synchronize.
09-14-2021 01:43 PM
Thanks Marvin,
1. I prefer to migrate the configuration to a staged FTD with the interfaces shutdown or disconnected. That's the most accurate and full-featured scenario.
So I should spin up both of my FTDs, (with alternate IP addresses) and get them registered in the FMC? I know I am only going to migrate my active ASA to the FTD as stated below.
2. Migrate only the active ASA firewall to FTD. The HA bits are not supported by the migration tool so you will add the second unit manually in FMC and setup the failover interface etc. there. Once the new pair of FTD appliances is joined in an HA pair, all of the bits you migrated from the ASA will synchronize.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide