That's a bit of a bummer :(   And there is currently no CLI for Firepower that allows adding threat defense rules?

Well... you could automate it to a certain degree. FMC has a REST API which you could use to 

1) import your policy

2) create network / service objects & group objects

3) create interface configuration

Unfortunetly NAT Policy is not yet exposed via the REST Interface but you could use the ASA REST interface to dump your nat configuration into a virtual asa and then use the firepower migration tool to get your nat rules from the asa into FMC.

I know thats not very satisfying but migrating 700 rules, 700 nat rules and prob. 1000 objects by hand is destined to lead to fat finger mistakes.

If you have any questions let me know...

Kaisero,

Thank you for the input!  I'll do some reading on the REST API.  I agree, my biggest worry is human error.  I created 10 custom rules I knew I would have to do manually regardless, and I made mistakes on a couple of them.  I can't imagine entering 1,400 policies by hand and not making a handful of mistakes, if not more.  

Is it easy to get a trial ASA VM from Cisco?  

Thanks!

-Mike

Mike,

The ASAv can be downloaded and run in unlicensed mode with the restriction that you are limited to 100 Kbps throughput. 

Thanks Marvin!

i have same question when i did my PoC with Cisco FTD. We got like 5000+ firewall rules and 10K+ objects....... without a good automation tool, it is mission impossible.

Hope cisco can realize the problems and develop some tools for help. Otherwise, customers wont move to Cisco. On Palo alto and Fortinet side, they have tool to do it ..... much easier for customers. 

Hi Mike. Were you able to do the migration? I have the same migration and I am a bit worry...

Regards!

I have gone through a similar project recently and without automation we would have been doomed. :) (keep in mind that the policy might even change during the migration since it will take some time to migrate)

Getting an ASA VM from Cisco shouldnt be an issue if you migrate from PAN to Cisco. Just hit up your local VAR or Cisco SE and ask them for the download link to get the OVA.

Maybe you already have the entitlement to download it (asav971.zip):

https://software.cisco.com/download/release.html?mdfid=286119613&softwareid=280775065&release=9.7.1&relind=AVAILABLE&rellifecycle=&reltype=latest

Please keep us posted on how it works out for you. It would be an interesting case study. 

You can take a look at my repo for using the rest interface of asa / firepower. I used this tool to migrate checkpoint objects to firepower... hope it will help you get started: https://github.com/kaisero/fum

regards

Oliver

Oliver,

That definitely looks like it would be helpful.  I need to brush up on my scripting skills.  

You're probably not available for hire, are you?  ;)

-Mike

Hi Mike,

My company is always happy to help. ;) - If you need anything specific just let me know.

regards

Oliver