Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
75
Views
0
Helpful
2
Replies

Replace Firepower 4110 with Firepower 3130

adamscottmaster2013
VIP
VIP

‎05-03-2026 04:12 PM

I am going to replace my existing Firepower 4110 appliance running FTD 7.0.9 let call it with the
name fp4110, managed by the FMC running 7.4.7, with a new Firepower 3130 appliance, let call it
fp3130. All existing IP address(es) with the exception of the management IP address of the
appliance will remain the same on both the fp4110 and fp3130. The fp3110 will be running a newer
version 7.4.7. I have not worked with Cisco FTD in years, so I am thinking of doing this below:

a- Rack fp3130 and connect all the cables but the switchport(s) on the switch(es) will be disabled,
b- Enable the management interface on the fp3130,
c- Connect the fp3130 to the FMC,
d- Configure interfaces on the fp3130 with the same IP address(es), and zone(s) as the fp4110, in the FMC,
f- Configure static routing on the fp3130 exactly the same as the fp4110,
g- Assign the same access policy of the fp4110 to the fp3130,
h- Assign the same NAT policy of the fp4110 to the fp3130,
i- Clone the same platform settings of the fp4110 to the fp3130,
j- Deploy the access policy, NAT, and platforms settings to both the fp4110 and fp3130,
k- Confirm both the fp4100 and fp3130 has the same access policy, NAT, and platform settings,
l- Disable switchport(s) on the switch, with the exception of the management interface, that are connected to the fp4110,
m- Enable switchport(s) on the switch that are connected to the fp3130,
n- Clear the arp table on the switch(es),
o- Validate all interfaces on the fp3130 are up and operational,
p- Start the validation,

This will minimize the interruption because this is the Internet firewalls.   Comments are welcome.

Thoughts?

0 Helpful
2 Replies 2

Aref Alsouqi
VIP
VIP

‎05-04-2026 02:12 AM

I think you got everything covered here. Just couple things come to mind, if you are using interfaces groups on the 4110 then I think you would need to assign the 3130 interfaces to those groups. The other thing is that if the current 4110 firewalls terminate any remote VPN connections then you might need to generate a new SSL cert and assign it to the 3130 outside interface as well as uploading the Secure Client packages to the 3130s. With regard to clearing the arp table on the switches, I don't think that is necessary as the new 3130s will announce their MAC addresses to the switches when they are inline.

0 Helpful

Aref Alsouqi
VIP
VIP

‎05-04-2026 02:15 AM

Actually another thing came to mind is that if you have any RADIUS/TACACS servers that are used by the current 4110 firewalls then you might need to create new clients on those servers with the new management IPs of the 3130s. Also, if you have any monitoring tools that are currently pointing to the 4110 management IPs then those need to be updated to point to the new 3130s management IPs.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card