Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
0
Helpful
5
Replies

Migrate Production FMCv on ESXi to Hyper-V

paultribe
Level 1
Level 1

‎12-05-2025 06:35 AM

I have a customer who has a single FMCv that is managing 4 x FTD 4115 appliances. The customer is using the FTD 4k's as follows:

1 HA pair for Firewall functionality only with Threat so config includes:- Interfaces, Static Routes, Objects, ACLs, NAT and IPS.

2 HA pair for Mainly VPN functionality so config includes:- Interfaces, Static Routes, Objects, ACL, NAT, RA VPN (IPSec & TLS/SSL, 40 x S2S VPNs policy based.

The customer wants to migrate their FMCv on ESXi to Hyper-V and I am concerned about how I can migrate all the static roFMCv in Hyper-V and make it a HA utes, RA VPN config and S2S VPN configs. When they originally migrated from ASA to FTD about 5 years ago there was no way to easily migrate any of the static route or VPN config. We had to run the ASA and FTD in parallel and migrate the static routes and RA VPN groups x 6 and S2S VPNs x 40 config manually. We would like to avoid this situation this time.

Can anyone suggest the best way we could do this. I have not been able to find any decent migration guide as yet. I wondered if I could setup a 2nd FMCv as Hyper-V on same version of SW and form a HA pair so we had a HA pair with one ESXi and one Hyper V, switch peers so the Hyper V FM\Cv becomes active, delete the ESXi FMCv then add a 2nd Hyper-V FMCv but I do not think you can have a HA pair where one is ESXi and the other is ESXi.

Can anyone assist me with this question?

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎12-06-2025 12:23 AM

1. I would suggest either using ESXi or Hyper-V for a better usage point of view.

2. As I understand, all of them are already in the FTD Code, which makes it easy to migrate from on-prem FMC to Cloud FMC

3. Install Cloud FMCv with the same version of On Prem and take the backup and restore in Cloud FMCv (make necessary changes of IP address)

4. Take one pair of FTD HA and de-register from On Prem and re-register with Cloud FMCV and do the testing. (Make sure Cloud FMCv can reach on-site FTD - need required access and routing in place to reach each other before you do any work)

5. Then do the testing, make sure all is working as expected.

6. Once that is done, do the other pair the same way

7. Once all stable, remove the On Prem FMC

8. Just in case you need a higher version of FMC, you can upgrade as suggested, as I know 7.6.2-XX is stable as of today.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmcv/fpmc-virtual/m_deploy_the_management_center_virtual_on_hyper_v.html#concept_czf_l1w_3wb

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

paultribe
Level 1
Level 1
In response to balaji.bandi

‎12-10-2025 04:25 AM

Thanks Balaji - I will consider this option.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-09-2025 07:58 AM

This is easy to do although the method is not formally endorsed by Cisco. You can just build a new FMCv on HyperV: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmcv/fpmc-virtual/m_deploy_the_management_center_virtual_on_hyper_v.html

Make it match the current FMCv on ESXi with respect to exact version and content updates (SRU/LSP. VDB and Geolocaiton database). Then, use configure-model.sh script as root user in the FMCv cli expert shell. Tell the script that you are on ESXi and not Hyper-V. Once you have done that you can import a backup from the existing FMCv into the new FMCv. Take the old one offline and change the IP on the new one to match. Confirm all the devices are reachable and managed. Once you have done so, re-run the script to correct the model as a Hyper-V-based FMCv.

0 Helpful

paultribe
Level 1
Level 1
In response to Marvin Rhoads

‎12-10-2025 04:36 AM

Thank you for your response Marvin - I have a question? Rather than take the old one offline; as the old one is stand alone, would it be possible to make the new one the old ones "HA mate", complete the sync up etc, then switch-peers so the new Hyper-V becomes active, and then remove the old ESXi device? 

This is what I had hoped I could do but thought it was not supported, as I was not aware you could "tell" the "basic setup script" that the system is in effect ESXi.

Secondly, if we tell the config script we are ESXi, how would this affect future upgrades and patches, would we  need to use ESXi rather than HV?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to paultribe

‎12-10-2025 07:11 AM

You only fool the new system to make it identify as ESXi during the restore operation. So it's only that way for an hour or so that it's that way. Once it's working, you make it the "correct" VM type once again.

Upgrades and patches to FMCv are not platform-specific in any event.

I would not try to make the two dissimilar FMCs into HA. It might work but you would be even further out on a limb with thawt approach. I've certainly never tried it. I have used the other approach successfully in production 4-5 times over the years.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card