cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
306
Views
3
Helpful
9
Replies

General steps to migrade to a new Cisco Firepower hardware model

wflai
Level 1
Level 1

I have Firepower Management Center (FMC) 2600 managing Cisco Firepower 4150 (which will be end of life by August 2025) and my employer has purchased the Firepower 3140 as the replacement.  

I talked to Cisco sales a few months ago and they said the migration from Firepower 4150 to Firepower 3140 should be straightforward as they said I can re-use items/objects/policies in my FMC 2600 such as Access Control policy and NAT Policy.

I will be receiving the new Firepower 3140s in a few weeks and I plan on doing the migration during the last week of this year.  I will open a Cisco technical support case to assist with this Firepower 4150 to Firepower 3140 upgrade but I am having some worries of how much downtime and issues that I might encounter--has anyone out there done this type of migration? If yes, how did it go?  Thanks.

1 Accepted Solution

Accepted Solutions

@wflai The LevelUp program mentioned by @ckleopa is a great idea. I had forgotten about that current offer. I am sure they will offer you some detailed guidance.

I suggest the later versions to give you the best currently available feature set and stability. Nothing there specifically advantageous to the migration tasks but overall they are a better choice.

The SSL VPN certificate with private key can indeed be rekey for use on the new 3140.

View solution in original post

9 Replies 9

The Access Policy and Nat Policy can simple be associated with your new pair, so that part is the easiest.

Hypothetically, with a little bit of planning, you could have most of the configuration pre-prepped, and then but re-assign ACP, NAT, S2S & Remote-access to the new pair and swap cables (or do shut/no-shut on the adjacent switches) with minimal downtime and easy fallback.

I haven't migrated to/from those exact models, but I've done a few migrations over the last year, (mostly 2k to 3k) and they've been pretty straightforward most of the time.

Hopefully the 4150 is in a relatively recent software version (same or close to what the 3140 will be in), and not something really old.

 

Thanks for your reply Jonatan; my Firepower 4150 and FMC 2600 are currently running FTD version 6.6.7.2  and in late December I will upgrade my FMC 2600 to FTD version 7.2.9 (this version will support my Firepower 4150 and Firepower 3140).   I will be sure include all the items you mentioned in your reply when I create a Cisco technical support case in December.

balaji.bandi
Hall of Fame
Hall of Fame

Is this FTD only Migration or FMC also Migrating to new Model ?

Since FMC Hold all the information as mentioned that should be stratight forward.

Build offline and register with FMC and test it, since old one still Live working.

FTD check :

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/threat-defense/b_secure-firewall-threat-defense-model-migration.html

FMC check here :

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc_model_migration/b_FMC_Model_Migration_Guide/m_fmc_migration_workflow.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks Balaji for your reply; I am only migrating my FTD (from 4150 to 3140).  Your link to "Cisco Secure Firewall Threat Defense Model Migration Guide, Version 7.4" is quite useful.  I hope that Cisco technical support can provide me similar steps/guidelines when I migrate from Firepower 4150 to 3140.

The FTD Model Migration tools built into FMC 7.4+ does NOT apply to 4150 to 3140 migrations at this time.

I would do this as follows:

1. Update the FMC 2600 to 7.2.9

2. Upgrade the 4150 to 7.2.9. This will require an outage of ~ 1hour.

3. Upgrade FMC to 7.6 (or 7.4.2.1 at least).

4. Onboard the 3140 to your and upgrade it to match the FMC version. Leave all data interfaces shutdown at this time.

5. Configure the device settings (interfaces, IP addresses, routing, etc.) to match the 4150.

6. Plan an outage to change the association of Access Control Policy, NAT policy, platform settings and any VPNs (site-site and remote access) to the 3140. Disconnect the data interfaces of the 4150 in favor of the matching ones on the 3140 at this time. This will be your second outage, probably closer to 2 hours. I would advertise 4 hours just to cover any troubleshooting and possible backup scenario.

7. Make sure you have good backups of the FMC at each major step.

Thank you Marvin for the detailed response, here's my follow-up:

A) I was thinking of upgrading my FMC 2600 only to 7.2.9 to avoid having to spend the time to upgrade my Firepower 4150 (currently on version 6.6.7.2 and FMC at version 7.2.9 is compatible with it).   I did look at the release notes for version 7.6 and I saw some relatively minor new features--do you think there are advantages with my FMC on 7.6 (or 7.4) that would help with the migration from Firepower 4150 to Firepower 3140?

B) My Firepower 4150 does have a GoDaddy SSL certificate (for remote access VPN)--I think there is probably no method to transfer the SSL certificate private key from my Firepower 4150 to 3140 right?  (if not, then I will generate a new CSR on the 3140 and use the GoDaddy rekey certificate procedure).

thanks

@wflai The LevelUp program mentioned by @ckleopa is a great idea. I had forgotten about that current offer. I am sure they will offer you some detailed guidance.

I suggest the later versions to give you the best currently available feature set and stability. Nothing there specifically advantageous to the migration tasks but overall they are a better choice.

The SSL VPN certificate with private key can indeed be rekey for use on the new 3140.

Thanks Marvin for the follow-up reply.  I did the start the LevelUp program recently and I am currently in the process of uploading my FMC 2600 troubleshooting files for analysis.   When it gets to the point where I interact with Cisco technical support I will see if indeed I should do the extra steps of upgrading my FMC to 7.4 or 7.6 for added stability (and especially if it helps with the Firepower 4150 to 3140 migration).

ckleopa
Cisco Employee
Cisco Employee

Have you looked into this program from Cisco? http://cs.co/LevelUp

Review Cisco Networking for a $25 gift card