Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
7
Helpful
4
Replies

Migrate cisco FTD from series 2000 to series 3000

Go to solution
Amr Ali Mohamed
Level 1
Level 1

‎10-17-2024 03:56 AM

Dears,

we will replace our Cisco FTD box series 2000 with a new one series 3000 managed by  FMC is there any document with steps to make this migration 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎10-17-2024 12:03 PM

I have done this a few times and it is not difficult.  For this process you will only need a unique IP for the management interface. Here is what I did.

  1. Install the FTD in the rack and connect only the management interface to the network.  If you will be managing the FTD via the Data interface and have available IPs in that network, then connect that interface also.
  2. Duplicate all policy configuration from the old FTD (ACP, NAT, Health, etc)
  3. Configure all interfaces and assign those interface to their respective security zones.
  4. configure routing
  5. configure VPN (if needed)
  6. associate policies you duplicated earlier to the new FTD.
  7. deploy configuration to the FTD,
  8. move cables from the old FTD to the new FTD.
  9. Test.
  10. if there are issues during testing move cables back to old ftd while fixing to limit downtime.
--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Go to solution
ahollifield
VIP
VIP

‎10-17-2024 04:22 AM

Here's an extremely high level of how I would do it:

  1. Configure management interface
  2. Assign temporary interface IPs or don't connect data interfaces into the network yet, configure all routing platform settings, etc.
  3. Assign the same policies to the 3100 as the previous box.
  4. Schedule a time to perform a hot cut as appropriate.

Go to solution
Aref Alsouqi
VIP
VIP

‎10-17-2024 08:44 AM - edited ‎10-17-2024 08:44 AM

I don't have any documentation at handy for this, sorry, but I think the latest Cisco firewall migration tool would allow you to migrate from FTD to FTD, you could explore that as an option. However, as mentioned by @ahollifield the easiest way would be to stage the new firewall with all the initial settings, and then register it to the FMC and apply all the required policies to it. One thing to keep in mind is that if you have any packages/profiles such as AnyConnect/Secure Client installers/profiles on the 2000 firewall then you would need to move those to the 3000 firewall. Also, if you have identity certificates on the 2000 then you would need to regenerate those ones for the 3000 firewall.

Go to solution
Marius Gunnerud
VIP
VIP

‎10-17-2024 12:03 PM

I have done this a few times and it is not difficult.  For this process you will only need a unique IP for the management interface. Here is what I did.

  1. Install the FTD in the rack and connect only the management interface to the network.  If you will be managing the FTD via the Data interface and have available IPs in that network, then connect that interface also.
  2. Duplicate all policy configuration from the old FTD (ACP, NAT, Health, etc)
  3. Configure all interfaces and assign those interface to their respective security zones.
  4. configure routing
  5. configure VPN (if needed)
  6. associate policies you duplicated earlier to the new FTD.
  7. deploy configuration to the FTD,
  8. move cables from the old FTD to the new FTD.
  9. Test.
  10. if there are issues during testing move cables back to old ftd while fixing to limit downtime.
--
Please remember to select a correct answer and rate helpful posts

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-18-2024 05:24 AM - edited ‎10-18-2024 05:25 AM

There is a new wizard in FMC 7.4+ that handles 95% of this for you automatically.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/migration/threat-defense/b_secure-firewall-threat-defense-model-migration.html

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card