Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1092
Views
5
Helpful
3
Replies

Migrate FTDv to a hardware FTD appliance

Go to solution
Chess Norris
Level 4
Level 4

‎05-19-2022 05:16 AM

Hello,

I have customer that was planning on installing two 2130 and two 2140 FTD appliances, but due to production and delivery issues, we were  forced to install a couple of temporary FTDv. The hardware appliances have now arrived and I'm looking for some advices on how to make this migration with minimal downtime.

I am planning on re-using the ACP and use the same interface zones, but I am not sure how much I can prepare before the actual migration take place. 

 

One of the virtual FTD have a lot of L2L tunnels and I remember it's not possible to remove/delete the virtual appliances from FMC without also deleting the VPN tunnel configuration from the FMC. Could I just swap the local gateway side with the new node and then before removing the virtual appliance from FMC?

 

Can I configure the new  firewalls in FMC with overlapping data interface networks?

 

We want to use the same host name on the new FTDs, but have to use a temporary name until we remove the virtual FTD:s from FMC. Can I just rename the new ones without any issues?

 

I would appreciate some inputs on what I can configure and prepare before the migration and what I need to do after we delete the virtual FTDs from FMC.

 

Thanks

/Chess

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-19-2022 08:19 PM - edited ‎06-01-2022 05:31 AM

The steps you laid out should work fine.

Once you have registered the new appliances you can designate then as the local member of the site-to-site VPN configurations.

You can also configure them with overlapping or even the same IP addresses on the data interfaces. As long as they remain disconnected that will allow you to have everything mostly configured prior to cutover.

Changing host name after the fact is also possible. The name of the managed appliance in FMC is only locally significant (to FMC). The hostname on the device itself can likewise be changed without impacting the rest of the configuration.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-19-2022 08:19 PM - edited ‎06-01-2022 05:31 AM

The steps you laid out should work fine.

Once you have registered the new appliances you can designate then as the local member of the site-to-site VPN configurations.

You can also configure them with overlapping or even the same IP addresses on the data interfaces. As long as they remain disconnected that will allow you to have everything mostly configured prior to cutover.

Changing host name after the fact is also possible. The name of the managed appliance in FMC is only locally significant (to FMC). The hostname on the device itself can likewise be changed without impacting the rest of the configuration.

Go to solution
Chess Norris
Level 4
Level 4
In response to Marvin Rhoads

‎05-19-2022 11:53 PM

Thank you so much, Marvin.

/Chess

0 Helpful

Go to solution
Chess Norris
Level 4
Level 4
In response to Marvin Rhoads

‎06-01-2022 04:26 AM - edited ‎06-01-2022 04:26 AM

Just a follow up. It all went well and no issues changing the local member of the site-to-site VPN configurations.

I think this method  also can be very useful in those case you want to re-image a FTD and you need to unregister it from the FMC. Instead of re-creating all VPN configuration, we could just deploy a FTDv and temporary move the VPN config to this FTD.

 

Thanks

/Chess

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card