But, I have created a cheat sheet and documented the below steps in detail which always helps me during FMC migrations.
Create all necessary security zones with interface type under Objects ==> Interface on new FMC
Take the screen shots of Device Interface details from old FMC
Move (System ==> Export/Import) all the policies from old FMC to new FMC
On old FMC make secondary FTD ACTIVE - make sure all the traffic is flowing fine with accessing applications
Break the HA pair - minor interruption. All the traffic will be flowing through secondary FTD which is ACTIVE ==>Config will be removed from the primary FTD
Remove (DELETE) the primary FTD from old FMC
Shutdown the primary FTD interfaces on Chassis except the management. Disable all Port Channel Interfaces form 9300 Chassis Management portal if present.
Attach (REGISTER) the primary FTD to the new FMC
Do all the Device Management Config
Interfaces – ADD Port Channels and ENABLE if exists
Routing – ADD Static Routes
Verify the Device (Model, Routed, Mgmt), cross check
Verify the Summary for License
Assigning all the policies and deploy.
NOTE: Since the interfaces on Chassis are shutdown, the primary FTD won’t take traffic. If the interfaces are not shut on Primary FTD Chassis, it can cause split brain and cause a major outage after deployment
Compare the Config of primary and secondary FTDs (one that is passing the traffic). Re-Verify all TABs.
Once the config is good on primary FTD.
Shutdown the secondary FTD interfaces from 9300 Chassis Management portal
Enable the primary FTD interfaces 9300 Chassis Management portal
Here we will have small amount of downtime
Clear the arp on switch/adjacent devices. All the traffic should be passing through the primary FTD now.
Validate all applications and verify the traffic on primary FTD, if all looks good then proceed further with step 22.
Remove (DELETE) the secondary FTD from old FMC
Attach (REGISTER) the secondary FTD to the new FMC
Create HA with group, as Primary and Secondary FTD
Update secondary interface IP Address and disable monitoring for time being
Verify all Device Management Config with captured screen shots and then push the policy
Re-verify all Device Management Config and Health alerts, then Enable Monitoring
One last time push the policy and validate the applications.
Good day all, Currently we have deployed Cisco FMC 1600 with FTD 1020 and 2100 in HA respectively. We are running version 18.104.22.168. The FMC has been configured to sync time via NTP and is showing the correct time. The FTDs h...
I am having the issue with following below configuration and getting error. Please help me solve the issue. object-group network LERAPID7_Consolenetwork-object host 192.168.2.80object-group network LMRAPID7_Consolenetwork-object host 192.168.2.81obje...
Threat Response integrates with Cisco Stealthwatch Enterprise (SWE) to provide Visibility into network threats. By adding an SWE module to Threat Response, investigators will be able to search for network flows to or from IP addresses that have been reco...
Hi All, Quick question hopefully. In a distributed ISE 2.4 deployment with primary and secondary Admin nodes, MnT nodes etc, if the primary Admin node fails, can we simply promote the secondary admin node to primary, rebuild the failed admin node, jo...