Re: PIX to FTD

kostasthedelegate · ‎05-06-2021

Hello,

I have a PIX-515E and I will install a new Firepower managed locally.

Is there any possibility for automated migration or the only solution is the manual one.

In the manual what should I be aware of?

Thanks and regards,

Konstantinos

Rob Ingram · ‎05-07-2021

@kostasthedelegate

I am not aware of a PIX to FTD migration tool. PIX has been EOL for a long time.

Potentially you could migrate PIX to ASA, then use the FMT to migrate ASA to FTD...but realistically it might just be quicker to manually configure the FTD.

Pix to ASA migration information https://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html#wp279448 (I don't believe the migration tool is even available on cisco website any longer, you might be able to google it).

balaji.bandi · ‎05-07-2021

PIX to FTD - very Long Journey like 15 years going back.

If not big and mass access line, i make advantage of install new FTD, manually create and make or remove redundant rules ? so your new setup is tidy and neat moving forward.

PIX- ASA - FTD manythings changed, i do not see its is straight forward work.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎05-07-2021

I would generally agree than a manual configuration is the way to go. Too many things have changed to rely on tool-based migration even if you could do it.

If you are really determined, an older ASA 5500 series could potentially load a Pix config into a post-8.3 version so that pre-8.3 NAT rules are converted. You could then load the converted config into an ASAv (trial license) with 9.x and finally use CD) (another trial license) to pull the config from ASAv into FTD (managed locally with FDM but temporarily using CDO trial license as well).

That's not a path I'd recommend but it is technically possible - it's more of a "Rube Goldberg" solution and making it happen would be time better spent analyzing and migrating the configuration manually.