cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1143
Views
2
Helpful
3
Replies

Moving one pair of FTD's to another FMC using export/import

Chess Norris
Level 4
Level 4

 

Hello,

 

I am looking for advice on moving one H/A pair of FTD's from one virtual FMC to another virtual FMC.

 

The customer I work for is dividing the company and the firewalls we want to move, will be managed by a separate team.

At first we thought about taking a FMC backup from current FMC and then deploy a new FMC, import the backup and then add the H/A pair. However, the customer reported issues with that method and they were not able to start the FMC after the backup was imported. Also the backup will then include objects and policys related to the other FTD’s, so this will require manual cleaning of policys and objects not in use.

 

Because of that, we are thinking about using the export/import option in FMC, which might be a better solution.

 

There is another thread about a simmilar situation

https://community.cisco.com/t5/security-blogs/firepower-threat-defense-ftd-migrations-from-one-fmc-to-another/ba-p/3956939

 

Considering this guide is from 2019, Is this still the prefered method for moving a H/A pair of FTD's from one FMC to another? 

 

Also using the import/export method, things that doesn't seems to be exported are L2L and RA VPN's settings, certificates and other objects like AAA, ACLs and route maps.

Is there an easy way to backup those things or do we need to re-create those manually?

Thanks

/Chess

 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Unfortunately there is no easy way.

The thread you found highlights some of the challenges. An FMC model migration can be used with some hacks to allow you to move from same to same model. Combine that with device backup and restore steps to cover the "configure manager delete/add" potential loss of local device settings and you can make it happen.

I was able to do so with a customer who had over 50 firewalls they were moving; but it wasn't pretty. It took some extensive preparation in the lab followed by a solid weekend of work performing the migration.

View solution in original post

3 Replies 3

from Cisco Doc.
Backup and Restore is not Configuration Import/Export

A backup file contains information that uniquely identifies an appliance, and cannot be shared. Do not use the backup and restore process to copy configurations between appliances or devices, or as a way to save configurations while testing new ones. Instead, use the import/export feature.

For example, threat defense device backups include the device's management IP address and all information the device needs to connect to its managing cloud-delivered Firewall Management Center. Do not restore an threat defense backup to a device being managed by a different cloud-delivered Firewall Management Center; the restored device will attempt to connect to the cloud-delivered Firewall Management Center specified in the backup.

Marvin Rhoads
Hall of Fame
Hall of Fame

Unfortunately there is no easy way.

The thread you found highlights some of the challenges. An FMC model migration can be used with some hacks to allow you to move from same to same model. Combine that with device backup and restore steps to cover the "configure manager delete/add" potential loss of local device settings and you can make it happen.

I was able to do so with a customer who had over 50 firewalls they were moving; but it wasn't pretty. It took some extensive preparation in the lab followed by a solid weekend of work performing the migration.

Chess Norris
Level 4
Level 4

Thanks, 

Hopefully we will see a more simple solution in the future, but for now I will prepare my self for the challenge.

/Chess

Review Cisco Networking for a $25 gift card