Solved: Re: Possible to move standalone FTD to be managed by FMC?

TerenceLockette · ‎07-06-2021

Hello all,

Is it possible to migrate a current FTD appliance that is a standalone device to be managed by FMC that's also currently in production? Or do I need to configure all the objects, NATs, rules, etc. on the FMC first then wipe the FTD and start from scratch? Any guidance on this would be greatly appreciated.

Thanks!

Terence

Marvin Rhoads · ‎07-06-2021

You're welcome.

Yes - just about everything can be preconfigured in FMC awaiting assignment to the device once it is added.

The main things I can think of that cannot be configured in advance are the interface and routing settings (configured under the individual device management page in FMC) and, if you have a site to site or remote access VPNs, the settings for those, including the certificate for remote access VPN.

View solution in original post

Marvin Rhoads · ‎07-06-2021

Changing from local management (or "standalone" as you referred to it) to FMC management does unfortunately require that the current configuration be replaced by what will reside on FMC. Everything except the basic config of the management interface, its gateway etc. will be lost.

TerenceLockette · ‎07-06-2021

Thanks, Marvin. That's what I thought as I didn't see a way to do it natively within the FDM so I wanted to confirm if starting from scratch was the only way to do this. However, I can at least pre-configure the network objects and rules in the FMC so that it's ready to be applied to the FTD when it joins, correct?

Marvin Rhoads · ‎07-06-2021

You're welcome.

Yes - just about everything can be preconfigured in FMC awaiting assignment to the device once it is added.

The main things I can think of that cannot be configured in advance are the interface and routing settings (configured under the individual device management page in FMC) and, if you have a site to site or remote access VPNs, the settings for those, including the certificate for remote access VPN.

TerenceLockette · ‎07-06-2021

Yes exactly which is why I didn't mention routing and interface configs since they're done under the device management menu as you stated. Fortunately, these appliances are in an environment which doesn't require any VPN services and the rules are very small so the work to preconfigure the objects and rules shouldn't be a burden. Thanks for confirming, Marvin!

Much appreciation,

Terence

Eric R. Jones · ‎07-06-2021

Nice to see this information; however, being the lazy guy I am, is it possible to use the migration tool to pull the current config off a FTD device and import it into the FMC and then make the other IP changes then add the FTD to the FMC?

ej

Marvin Rhoads · ‎07-07-2021

Sorry that's not possible - at least not easily. In theory you could pull everything that's exposed via API on the locally-managed FTD and then map it to what is supported to push via API on FMC. However that would be a lot more work and still leave you with bits to migrate manually.

Eric R. Jones · ‎07-07-2021

Thank you.
I was wondering if there was a way to easily migrate FTD's from one
location to another, either by exporting the ACP Rules and re-import them or
use a previous backup and import that to the FMC and then restore to the
newly, and wiped, FTD to be managed.

Marvin Rhoads · ‎07-08-2021

It is possible to export ACP rules from one FMC and restore to another. They need to match versions of Firepower software, VDB etc.