Migrating from FTD 9300 to FTD 3100 same FMC

neteng2323 · ‎11-07-2024

We have an existing FTD 9300 running in multi-instance mode. We have a handful of firewalls on this appliance that are managed with FMC. I'd like to migrate the firewalls to a new FTD 3130 but I'm having trouble finding any specific FTD to FTD migration steps while keeping an existing FMC. Based on the reading I've done I believe this should be relatively straight forward but I wanted to ask here to see if someone had experience with this and could add their thoughts, and or a link to relevant documentation.

Marvin Rhoads · ‎11-07-2024

There's not any Cisco-provided feature to do this automagically.

You would need to onboard your 3130 and configure it with the same interfaces, zones etc. and then change the ACP and NAT etc. from the 9300 to target the 3130 instead.

neteng2323 · ‎12-04-2024

Ok thanks for your reply. I can open a new thread for this if that would be better. I've got the 2 new 3130s plugged up and ready for setup. These FW are on 7.2 train of firmware. I'm trying to configure multi-instance mode. According to the documentation I should be able to do this via command line by connecting to FTD from FXOS and then issuing the configuring multi-instance command. However, on my Firewalls that command is not available. I've opened a TAC case for assistance but if you happen to know, or If I should start a new thread for this I can do so.

Thank you

Marvin Rhoads · ‎12-04-2024

@neteng2323 are you saying that when in fxos system scope the command "set deploymode container" is not available? (as described in this document: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/threat-defense/use-case/multi-instance-sec-fw/multi-instance-sec-fw.html#change-chassis-management-settings-at-the-fxos-cli)

neteng2323 · ‎12-04-2024

I completely missed this in the documentation for some reason. Thank you for the heads up.

neteng2323 · ‎12-04-2024

It is odd set deploymode container isn't step 1 in that document.

neteng2323 · ‎12-05-2024

@Marvin Rhoads It seems there's something else I'm missing.

I'm not able to commit the changes after changing to deploy mode container. I found another forum post where you suggested the sysopt sam 1001 on, and after doing that I see the following messages. I've included the FXOS version I'm on. What am I missing here? These will managed via FMC but according to the documentation multi-instance has to be enabled at the CLI. The error states to make the configuration within FTD (connect ftd) but there is no multi-instance configuration option in FTD. I've opened a TAC case, but have not received much help yet.

firepower# sysopt sam 1001 on
WARNING: FXOS configuration changes are experimental and are NOT supported.
WARNING: All FXOS changes can be overwritten on next policy deployment.
FXOS option 1001 was enabled.
firepower# scope system
firepower /system # set de
deploymode description
firepower /system # set deploymode container
firepower /system* # commit-buffer
Warning: Changes not supported. use: 'connect ftd' to make changes.
Error: Update failed: [Multiple Instance feature is not supported in this version.]

firepower# show version
Version: 2.12(1.73)
Startup-Vers: 2.12(1.73)

I guess I should dig into this version since that is what the error is telling me. It would be suprising if FTD3130s ship with FXOS code that doesn't support multi-instance since that feature has been around for a long time. I was assuming that error means something else but isn't clear.

neteng2323 · ‎12-05-2024

Found this on youtube. So that appears to be my answer as the FTD version these (brand new) 3130s shipped with is 7.2.8. Frustrating.

Marvin Rhoads · ‎12-05-2024

Ah there you go. Once you upgrade, you can change the mode.

I sometimes find it useful to run the upgrade for a new box from FDM and then switch over to FMC once it's at the target version. I would suggest 7.6 if you don't already have your FMC at that. 7.4.2.1 otherwise since that's the current Gold Star "Suggested Release".

neteng2323 · ‎12-05-2024

What I’m trying to figure out now is how exactly to go about it. My FMC is 7.2 so and Im not sure if I can upgrade FXOS and FTD manually via CLi or if I have to do everything via FMC now.

Marvin Rhoads · ‎12-05-2024

Is there a reason why you are still on 7.2 FMC?

Your managed devices must be no higher than the version of the managing FMC. So even if you upgraded locally (via cli or FDM), you would have to get FMC to an equal or higher version to onboard the device.

neteng2323 · ‎12-05-2024

Sort of an involved story, but I have some dependencies with other firewall versions that has prevented me from moving forward with FMC upgrade. Those should be remediated soon so that I can finally move to 7.4.

THEN the plan is to hopefully get these new firewalls registered and managed in the FMC. The answer I can't seem to find yet is if everything including upgrading FXOS, FTD, and enabling Multi-instance will be done via FMC once I am able to get them integrated.

What I am used to working with is FTD9300s and enabling multi-instance, and upgrading FXOS are all done outside of FMC. FMC is merely a configuration management interface for this platform, but from what I am reading it seems with the 3100 series that all changes.