But, I have created a cheat sheet and documented the below steps in detail which always helps me during FMC migrations.
Create all necessary security zones with interface type under Objects ==> Interface on new FMC
Take the screen shots of Device Interface details from old FMC
Move (System ==> Export/Import) all the policies from old FMC to new FMC
On old FMC make secondary FTD ACTIVE - make sure all the traffic is flowing fine with accessing applications
Break the HA pair - minor interruption. All the traffic will be flowing through secondary FTD which is ACTIVE ==>Config will be removed from the primary FTD
Remove (DELETE) the primary FTD from old FMC
Shutdown the primary FTD interfaces on Chassis except the management. Disable all Port Channel Interfaces form 9300 Chassis Management portal if present.
Attach (REGISTER) the primary FTD to the new FMC
Do all the Device Management Config
Interfaces – ADD Port Channels and ENABLE if exists
Routing – ADD Static Routes
Verify the Device (Model, Routed, Mgmt), cross check
Verify the Summary for License
Assigning all the policies and deploy.
NOTE: Since the interfaces on Chassis are shutdown, the primary FTD won’t take traffic. If the interfaces are not shut on Primary FTD Chassis, it can cause split brain and cause a major outage after deployment
Compare the Config of primary and secondary FTDs (one that is passing the traffic). Re-Verify all TABs.
Once the config is good on primary FTD.
Shutdown the secondary FTD interfaces from 9300 Chassis Management portal
Enable the primary FTD interfaces 9300 Chassis Management portal
Here we will have small amount of downtime
Clear the arp on switch/adjacent devices. All the traffic should be passing through the primary FTD now.
Validate all applications and verify the traffic on primary FTD, if all looks good then proceed further with step 22.
Remove (DELETE) the secondary FTD from old FMC
Attach (REGISTER) the secondary FTD to the new FMC
Create HA with group, as Primary and Secondary FTD
Update secondary interface IP Address and disable monitoring for time being
Verify all Device Management Config with captured screen shots and then push the policy
Re-verify all Device Management Config and Health alerts, then Enable Monitoring
One last time push the policy and validate the applications.
Here are some ACLs on my switch , but some of them are useless I want to clear them up ,but I'm not sure which one is useless , when I show access-list I can see some are match ！ I just want to make sure is there any better way to do that ? or Is th...
I was able to import a PKI trustpoint using the crypto pki trustpool import terminal command and copy and paste the pem file. However, when I try to import the same file from flash:. I get an error: (config)#crypto pki trustpool import url flash:myce...
Hello,we have a strange problem with an ASA5510:After an update to version 9.1.7 all ports are down.What we have done exactly:We were on version 8.3, first updated to version 9.0 and then to 9.1.7. After that everything was ok.After that we had to restart...
I'm working on a PoC design that includes ISE (version 2.7) and APIC-DC (version 4.2) Policy Plane integration for TrustSec. Per the ACI Settings page in ISE, ACI version 3.2 and above uses the Kafka method for integration but the only documentation I can...
Hello everybody I made a VPN ikv2 but does not up phase 1, I think a Conver all but no work. I was talking to my networking friends and the only different in them configuration and mine its this My Config group-policy...