Migration from one FMC to another - Page 2

rjadhav163 · ‎08-09-2016

Hello

I want to migrate all the devices from our current virtual Firepower management center to a new firepower management center. Following are the conditions:

1. The new management center will also be on VMWare and will have exact version number as the current one.

2. The devices managed by current FMC are ASAs with FTD images and are in High Availability (only 1 pair)

3. The new FMC must have exact same configuration as the current one. (like security policies and all. I can export the config from the current FMC I guess.)

4. The new FMC should take over the IP Address of the current FMC

How can I achieve this migration? Is there a document? Or can someone jot down the process i should follow?

Thanks and Regards,

p.lan · ‎08-05-2024

We did not experience any downtime. When shutting down the old FMC and turning up the "newly restored" FMC, it acted like it normally would-- it needed to do a full deploy to the firewalls, but no impact was noticed since the configs were the same between the old and new FMC.

As I noted before in this thread, I needed to run the commands in that other thread that "tricked" my new FMCv into being a FMCv300, restored the FMC1000 backup onto it (and deployed to the firewalls), then downsized it back to a FMCv at the end, with no issues.

Ivan Zhang · ‎08-05-2024

@p.lan Thank you very much, your experiences are very helpful. One more question, how many FTD devices you have reregistered with the old FMC1000, and did you move all FTD to the new FMCv in a single time? Because I plan to use different IP address for the new FMCv, I consider to move a HA pair FTD one time, and move another HA pair FTD next time.

p.lan · ‎08-05-2024

Sure thing! We had 3 HA pairs registered to the FMC1000. We kept the IP of our old and new FMC the same.

If you want to migrate one or a few FTDs at a time to the new FMCv, your new FMCv will need a unique IP address of course, and I believe you will need to use the "configure manager edit" command on each FTD and point them to the new FMCv IP. As long as they are on 7.0+, I believe this will also be seamless and not cause any interruption. You should have a pending deploy once it begins to talk to the new FMCv.

Ivan Zhang · ‎08-05-2024

Thank you very much for your sharing, really helpful.

Gustavo Medina · ‎04-10-2023

This procedure is only intended for TAC lab use only and not supported for production environments. Any issues would be supported as best effort only.

Gustavo Medina · ‎04-10-2023

You are right, due to database sizes differences between models the Model Migration feature only supports moving to a larger model. There are plans to add support for some other paths in newer versions but for now you can always export and import the configuration between any models, it is not as seamless as the Model Migration feature but you will not have to configure the new device from scratch. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/configuration_import_and_export.html

The other option if possible is using the Migration Tool and move to cdFMC: https://www.cisco.com/c/en/us/td/docs/security/cdo/managing-fmc-with-cdo/managing-fmc-with-cisco-defense-orchestrator/m-preface-managing-fmc-with-cisco-defense-orchestrator.html