cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2076
Views
0
Helpful
2
Replies

Migrate Firepower Management Center from one global domain to multiple domains

mAineAc
Level 1
Level 1
I am trying to move to multi-tenancy with our Firepower system because it has been decided that different groups need different access at this point. I have not been able to find much documentation on migrating this way. I do see that I need to remove all of the VPN connections before I can even begin. But I was wondering what the best approach would be on the initial migration. Do I migrate all devices into one leaf then create a second leaf and migrate the devices to the new leaf for the ones that I want to separate? Or do I create two leafs and then migrate the devices to them? I don't think that I can do that because once there is a leaf, from my understanding of the documentation, you can't have any devices in global. Or is it preferred to create both leafs at the same time and put the devices you want in each one? Anther point is on the remote access VPN, can I just remove the assignment for the device and re-add after the migration? And can I just remove the device assignments on the site-to-site VPN configs and just re-add the devices after? Can I wait on deploying everything until after the full migration of the system to multi-tenancy or do I need to do it in steps? and if I need to do it in steps where do I need to deploy the changes at what times?
2 Replies 2

ida71
Level 1
Level 1

I found this request for enhancement https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi31505 to move objects between domains to make migration possible with minimum amount of pain.

I'm trying to move to multi tenancy to allow admin in each domain separately & have a TAC case with Cisco as there does NOT appear to be any documentation on how to achieve this. Looks like Cisco expected that decision when FMC is built

 

Anyone have any info on this ?

 

jacobacci
Level 1
Level 1

Same problem here: I used the firewall migration tool to migrate the configuration of an ASA to an FTD in a leaf domain; that correctly created hundreds of objects and object groups in the leaf domain. Then I installed another FTD in another leaf domain, hoping to recycle some of the object definitions from the first leaf domain, but I discovered that there was no easy way to move object (and group) definitions from a leaf domain to the Global domain.

I openend a TAC case and they gave me a few alternatives, none of them easy:

- use the API explorer in order to GET definitions from one domain and paste them into the POST endpoint for creating them in another domain: it works fine for simple objects (one at a time), but not for groups, or groups containing other groups

- dump the policy into a fictious ASA configuration, edit it by hand, cleaning everything it is not needed, and re-import it in another domain wiht the firewall migration tool... officially importing a configuration edited by hand is not supported, and you may need to create a fictuous ftdv to use as a target for the import

- write a program for selectively dumping object definitions from one domain, re-create the objects in the global domain via API, modify pointers, etc... I'm actually following this way, but it will take days to produce a good tool, able to cope with nested groups, objects shared between groups, and so... I wonder if anybody already wrote something similar

Review Cisco Networking for a $25 gift card