Hello,

A client recently purchased a Firepower 2110 to replace an ASA5525-X w/ Sourcefire at one of their locations due to a circuit upgrade and need for more aggregate throughput. They currently utilize Sourcefire for Malware, Intrusion, Geolocation, URL filtering, etc., all managed on the FMC through a single Access Control Policy. Basic filtering, NAT's etc. are maintained on the individual ASA's according to needs for that specific location.

It was a bit shocking to find out the 2110 cannot support Firepower services while also running the ASA code, to do this we need to migrate to FTD code. I've already stood up an FMC with the migration tool and converted configs which produced an output containing a prefilter, NAT and access policy along with associated network, port and interface objects. Hopefully that's enough information to answer some questions:

The goal is to maintain the customers existing experience when using the FMC. Ideally the existing access policy can be nested with the migrated access policy so that any changes the customer makes that are common to all sites would be inherited and pushed globally. Basic filtering, NAT's and other items which are unique per site and previously configured using ASDM would now be made to prefilter and NAT policies in the FMC. My thought was to select the customer's access policy as a "Default Action" for the migrated access policy but when set it throws a warning. So is this the best way to achieve what we're looking for or is there some other way?