But, I have created a cheat sheet and documented the below steps in detail which always helps me during FMC migrations.
Create all necessary security zones with interface type under Objects ==> Interface on new FMC
Take the screen shots of Device Interface details from old FMC
Move (System ==> Export/Import) all the policies from old FMC to new FMC
On old FMC make secondary FTD ACTIVE - make sure all the traffic is flowing fine with accessing applications
Break the HA pair - minor interruption. All the traffic will be flowing through secondary FTD which is ACTIVE ==>Config will be removed from the primary FTD
Remove (DELETE) the primary FTD from old FMC
Shutdown the primary FTD interfaces on Chassis except the management. Disable all Port Channel Interfaces form 9300 Chassis Management portal if present.
Attach (REGISTER) the primary FTD to the new FMC
Do all the Device Management Config
Interfaces – ADD Port Channels and ENABLE if exists
Routing – ADD Static Routes
Verify the Device (Model, Routed, Mgmt), cross check
Verify the Summary for License
Assigning all the policies and deploy.
NOTE: Since the interfaces on Chassis are shutdown, the primary FTD won’t take traffic. If the interfaces are not shut on Primary FTD Chassis, it can cause split brain and cause a major outage after deployment
Compare the Config of primary and secondary FTDs (one that is passing the traffic). Re-Verify all TABs.
Once the config is good on primary FTD.
Shutdown the secondary FTD interfaces from 9300 Chassis Management portal
Enable the primary FTD interfaces 9300 Chassis Management portal
Here we will have small amount of downtime
Clear the arp on switch/adjacent devices. All the traffic should be passing through the primary FTD now.
Validate all applications and verify the traffic on primary FTD, if all looks good then proceed further with step 22.
Remove (DELETE) the secondary FTD from old FMC
Attach (REGISTER) the secondary FTD to the new FMC
Create HA with group, as Primary and Secondary FTD
Update secondary interface IP Address and disable monitoring for time being
Verify all Device Management Config with captured screen shots and then push the policy
Re-verify all Device Management Config and Health alerts, then Enable Monitoring
One last time push the policy and validate the applications.
Good morning from GreeceDue to lack of major VPN Concentrator Appliances, we are using 4 X 886 with WEB SSL configurations and NAP Radius for 40 remote workers using Anyconnect clients. None of the solutions that exist in the current forum, was fitte...
Hi All; I've been having issues with GPRS connections in India from Digi WR21 routers to an ISR4431 running Cisco IOS XE Software, Version 16.08.01. As such, I've been sleeping with RFC5996 under my pillow and have noticed a few anomalies. See t...
This event had place on Thursday 29th, October at 10hrs PDT
Mason Harris is a Solutions Architect for Cisco focusing on cloud architectures with Cisco’s largest customers. He has more than 24 years of experience in ...
I'm struggling to find information on how to apply a service-policy to an Internet connected interface on an FTD1010. Cisco docs indicate this is possible by setting up a QoS policy within an FMC, however I don't have access to one to do this. ...
Hi everyone I need a little help with NAT on FTDI'v been searching since yesterday but I had no luck finding some infosWhat is the correct way to populate the configuration form for this scenario? Please see attached imagesFigure 8 Static NAT with P...