cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect

Announcing the availability of the ASA to FTD Migration Tool

12095
Views
30
Helpful
18
Comments
Beginner

The Cisco ASA provides advanced stateful firewall and VPN concentrator functionality. It has long been the industry standard for firewalls. For more information on this product, see http:/​/​www.cisco.com/​go/​asa.

Firepower Threat Defense provides unified next-generation firewall and next-generation IPS functionality. In addition to the IPS features available on Firepower Software models, firewall and platform features include Site-to-Site VPN, robust routing, NAT, clustering, and other optimizations in application visibility and access control. Firepower Threat Defense also supports Advanced Malware Protection (AMP) and URL filtering. For more information on this product, see http:/​/​www.cisco.com/​go/​ngfw.

Cisco's Migration Tool allows you to convert specific features in an ASA configuration to the equivalent features in an Firepower Threat Defense configuration using the easy to use wizard based Migration Tool. Download the Migration Tool here . Release notes here.

18 Comments
Beginner

What is the difference between this tool and using the FMC image as a migration tool?

Which one shall be used?

 

Regards

Beginner

Hello Rami,

 

This tool is a small executable that you can freely download onto a Windows m/c. You do not need to use an FMC as a migration tool. For more info see the tool guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/10/migration-guide/ASA2FTD-with-FP-Migration-Tool-10/b_Migration_Guide_ASA2FTD_chapter_00.html

 

to add further, the new tool will login to your existing and compare the existing attributes like object-groups from the ASA and any duplicate object-groups would not be imported. However , if you use FMC as a migration tool , duplicate objects would be imported with a new name. This is good from the config clean-up perspective in case if you are migrating multiple sites to FTD.
Beginner

great!

Beginner

I had few doubts on migrating an active/standby failover pair using this tool. Figured that we have to take the config from the active unit. The doubt comes while adding the devices to FMC. Should we add it as an FTD HA Pair and then run the migration tool? Or add the active first and migrate, later add the secondary (no config) and form the failover pair.? In that case, can someone guide me how I add a secondary device to an existing deployment with complete configuration? I have seen adding two fresh devices and config being pushed to the pair in tutorials.

Cisco Employee

Hi Nihal,

 

Lets name FTD's as FTD1 and FTD2.

For an ASA-HA pair, we recommend migrating Active-ASA's config to FTD1 (without HA created on FMC).

Post migration, create HA pair on FMC by choosing FTD1 as primary and FTD2 as secondary/standby unit (not vice-versa);  this way config available on FTD1 will be sync'd with FTD2 as part of HA.

 

Note: HA creation including standy-IP configuration is manual.

 

Let me know if this answers your query.

 

Regards,

Santhosha Shetty

Cisco Employee

Migration tool 1.0.0 supports migrating configuration on an standalone FTD only, not HA pair. You need to first migrate the configuration on a standalone FTD and later configure the HA Pair. Even if you are going to migrate the ASA HA pair which is handling the traffic you would like to migrate first standby unit.

You mentioned about a tutorial which explains the configuration can be pushed to HA pair, do you mean from Migration tool it can be pushed to HA Pair? Can you please share the same tutorial?

Beginner

Thanks, guys. Already tested this as it seemed to be the most logical option then. Migrated a small setup from ASA 8.2 to 9.2 and then FTD (Yes!, thanks to  https://fwm.cisco.com/auth.do  and Migration Tool 1.0.2). 

 

Key Observations:

Must need Windows 10 PC and Chrome, else tool won't connect to FMC.

VPN related config isn't migrated, not even crypto ACLs.

All ACLs applied to interfaces gets modified to Access Control Rules as it is.

It took me less than 10 minutes to migrate a config with 250+ ACLs.

It is a pain to apply the NGFW policies to the newly migrated rules one by one. Trying something with REST API now to make it automated.

 

Cisco Employee

Hi Nihal,

 

Thanks for sharing your observations and you are spot on!

VPN migration and ability to apply NGFW (File/IPS Policy) on rule/s is in road-map and will be implemented as and when APIs are made available (VPN).

 

Thanks,

Santhosh

Cisco Employee

To access the migration tool, and to get a step by step tutorial, please visit the assets located here.

 

https://www.cisco.com/c/en/us/products/security/firewalls/firepower-migration-tool.html

Beginner

At this time my understand of ASA with FirePower service/module is as follow:

ASA the actual firewall. In my case it's a 5508.

The FirePower is a software base module which is integrated within the ASA and does traffic analysis to block malware, app, etc. base on a set of configuration. In my case, I use the FirePower Management Center (FMC) to perform the configuration for the FirePower module.

 

Question set 1:

What I am still confused is how the FirePower Threat Defense (FTD) fit in this picture?

Is FTD going to be the replacement for the FMC?

OR

Is the FTP going to be replacing the FirePower service on the firewall?

 

Question set 2:

I am having FirePower license, do I have to pay to upgrade to FTD?

Beginner

Is there any one still responding to this post?!

Beginner

Hi A company,

 

Your questions may be better suited as a standalone forum question, but I hope my answers will help:

 

1. FTD is the unified Firepower Services and ASA in one image. FTD is managed by the Firepower Management Center (FMC).

The 5508-X ASA with Firepower Services has two management planes - The CLI/ASDM for the ASA and Firepower Management center for the Firepower Services. With FTD you have one management plane and manage your devices fully using the Firepower Management Center.

 

There is also a standalone management platform called Firepower Device Manager, which is used for managing FTD devices without the FMC.

 

Be aware, that not all features from the ASA is available in FTD.

 

2. Your licenses has to be converted to Smart Licensing, but there is no additional cost involved. The link below may also help clear up your questions.

 

https://community.cisco.com/t5/firepower/firepower-threat-defense-smart-licensing-faq-s/td-p/2894669

 

 

Beginner

HI A Company,

Earlier, in ASA with Firepower services, the services were running as two separate instances (ASA and Firepower).

Cisco then came up with Firepower Threat Defense (FTD) ,which is a unified image of ASA and Firepower. It is designed to do what ASA and what Firepower can ,together with unified management. FMC is simply a management server and is useful when you have multiple firewalls installed.

You can upgrade your ASA 5508-X with the FTD image and you can manage locally using FDM (Firepower Device Manager). Though eventually you will end-up in buying the FMC as a management server for managing all your Cisco FTD firewalls in the long run. FTD will eventually replace ASA product line up.

 

Regarding the licensing part, its better to contact Cisco licensing directly rather than community opinion. Cisco says FTD is included in the smart licensing.

Look at this link : https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-licenseroadmap.html

 

In my personal opinion, Cisco has messed up their firewall category with so many changes. Its all started with ASA -CX and now, hopefully they will get stabilized with this FTD..

Beginner

Thank you @Jesper Erbs.

That's a perfect answer.

Is there any estimate for when the FTD will be fully capable of replacing both the ASA and the FirePower module software?