Showing results for 
Search instead for 
Did you mean: 

FirePower Threat Defense (FTD) migrations from one FMC to another FMC with Policy


Process for FTD migration with Policy

As per Cisco documentation, we have below steps for for de-register and register process. Please follow below steps :

Step 1 : Break HA pair and de-register your FTD from FMC (old).

Step 2 : Register your primary FTD with FMC (new).

Step 3 : Configure the interfaces and routing information on FMC (new).

Step 4 : De-register secondary FTD and register it with FMC (new).

Step 5 : Re-build HA on FMC (new).

Note : This process needs downtime as it will impact your traffic.


For registration process please refer to below link :


For De-registration process first you need to delete the device from FMC and then you need to run below command on FTD.

configure manager delete

Manager successfully deleted.


For HA break process please refer to below link.


But, I have created a cheat sheet and documented the below steps in detail which always helps me during FMC migrations.

Detail Steps:

  1. Create all necessary security zones with interface type under Objects ==> Interface on new FMC
  2. Take the screen shots of Device Interface details from old FMC
  3. Move (System ==> Export/Import) all the policies from old FMC to new FMC
  4. On old FMC make secondary FTD ACTIVE - make sure all the traffic is flowing fine with accessing applications
  5. Break the HA pair - minor interruption. All the traffic will be flowing through secondary FTD which is ACTIVE ==>Config will be removed from the primary FTD
  6. Remove (DELETE) the primary FTD from old FMC
  7. Shutdown the primary FTD interfaces on Chassis except the management. Disable all Port Channel Interfaces form 9300 Chassis Management portal if present.
  8. Attach (REGISTER) the primary FTD to the new FMC
  9. Do all the Device Management Config
  10. Interfaces – ADD Port Channels and ENABLE if exists
  11. Routing – ADD Static Routes
  12. Verify the Device (Model, Routed, Mgmt), cross check
  13. Verify the Summary for License
  14. Assigning all the policies and deploy.

    NOTE: Since the interfaces on Chassis are shutdown, the primary FTD won’t take traffic. If the interfaces are not shut on Primary FTD Chassis, it can cause split brain and cause a major outage after deployment

  15. Compare the Config of primary and secondary FTDs (one that is passing the traffic). Re-Verify all TABs.
  16. Once the config is good on primary FTD.
  17. Shutdown the secondary FTD interfaces from 9300 Chassis Management portal
  18. Enable the primary FTD interfaces 9300 Chassis Management portal
  19. Here we will have small amount of downtime
  20. Clear the arp on switch/adjacent devices. All the traffic should be passing through the primary FTD now.
  21. Validate all applications and verify the traffic on primary FTD, if all looks good then proceed further with step 22.
  22. Remove (DELETE) the secondary FTD from old FMC
  23. Attach (REGISTER) the secondary FTD to the new FMC
  24. Create HA with group, as Primary and Secondary FTD
  25. Update secondary interface IP Address and disable monitoring for time being
  26. Verify all Device Management Config with captured screen shots and then push the policy
  27. Re-verify all Device Management Config and Health alerts, then Enable Monitoring
  28. One last time push the policy and validate the applications.
  29. Verify the Logging with events.
1 Comment

Caution: At Step #23, FMC will deploy the policy during the FTD registration process and the deployment will fail.

Workaround: Delete the FTD and do the re-register process. Attach a dummy or temporary policy with no rules in ACP during the registration process. This will make the FTD register and then attach the original ACP Policy which will be successfull deployment.

Content for Community-Ad
This widget could not be displayed.