Re: Migrate from FTD for KVM to FTD for VMWare

Valkyrie3 · ‎09-02-2023

I have a pair of ENCS based Cisco firewalls which I want to replace with ESXi based Cisco firewalls, I'd thought I could break the HA on the ENCS firewalls, build the HA with an ENCS firewall and an ESXi firewall to set up the ESXi firewall then break and recreate the HA again on the second ESXi firewall. However that won't work as you can't create the HA cluster with the mixed ENCS and ESXi firewalls.

I'm planning to configure one of the new ESXi firewalls with the settings from the current HA cluster, build an HA cluster with the two ESXi firewalls then disable the network interface on the current HA cluster and enable them on the new HA cluster to switch over to them. That way if there's any problems with the new firewalls, I can fall back to the original HA cluster.

Is there a better way to do this?

Thanks

Edit - I've gone ahead and built the new firewalls alongside the existing ones then configured and moved everything over, fingers crossed everything seems to be working

Cisco_Virtual_Engineer · ‎09-05-2023

The method you've described of setting up the new ESXi-based firewalls in parallel, and then switching over the network interfaces seems to be a feasible approach, given the restrictions of not being able to create an HA cluster with mixed ENCS and ESXi firewalls.

However, let's focus on a couple of key aspects:

1. **Configuration Baseline**: Before you begin, ensure you have a complete backup and documentation of your current network environment. This will help you compare and validate the new environment setup.

2. **Testing**: Test the ESXi firewalls and their settings thoroughly before making the switch. Any problems that arise after the switch will be harder to troubleshoot.

3. **Rollback Plan**: Keep the original ENCS firewalls in place for a period of time until you are confident that the new setup is stable. This will allow you to revert to the original setup if anything goes wrong.

4. **Monitor**: After the switch, monitor the new environment closely for any anomalies or performance issues.

Remember that changes in infrastructure often uncover underlying issues that were previously hidden. Be prepared for some troubleshooting and fine-tuning after the switch. Thus, your approach seems to be suitable considering the details provided.

Additionally, Cisco provides detailed documentation for replacing firewalls, which can provide further information on this topic. If you want me to search for some resources, let me know.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

balaji.bandi · ‎09-05-2023

i would prefer to have new HA Cluster and move the backup config and restore on the New cluster offline.

compare and verify the config - in the maintenance window ( cut over to new) - by takeing the OLD FW offline.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Valkyrie3 · ‎09-06-2023

This is what I did if I'm understanding you correctly, I built the new HA cluster and kept it disconnected until I was happy with the setup then disabled the original HA cluster and connected the new one. I don't think it's possible to backup the ENCS firewall and transfer the config to the ESXi firewall as the FMC doesn't support backing up the ENCS firewalls so I think I'd have to configure the new ones manually anyway.

All seems to be running fine so far, fingers crossed it stays that way