Process for FTD migration with Policy
As per Cisco documentation, we have below steps for for de-register and register process. Please follow below steps :
Step 1 : Break HA pair and de-register your FTD from FMC (old).
Step 2 : Register your primary FTD with FMC (new).
Step 3 : Configure the interfaces and routing information on FMC (new).
Step 4 : De-register secondary FTD and register it with FMC (new).
Step 5 : Re-build HA on FMC (new).
Note : This process needs downtime as it will impact your traffic.
For registration process please refer to below link :
https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html
For De-registration process first you need to delete the device from FMC and then you need to run below command on FTD.
configure manager delete
Manager successfully deleted.
For HA break process please refer to below link.
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212699-configure-ftd-high-availability-on-firep.htmlanc9
But, I have created a cheat sheet and documented the below steps in detail which always helps me during FMC migrations.
Detail Steps:
- Create all necessary security zones with interface type under Objects ==> Interface on new FMC
- Take the screen shots of Device Interface details from old FMC
- Move (System ==> Export/Import) all the policies from old FMC to new FMC
- On old FMC make secondary FTD ACTIVE - make sure all the traffic is flowing fine with accessing applications
- Break the HA pair - minor interruption. All the traffic will be flowing through secondary FTD which is ACTIVE ==>Config will be removed from the primary FTD
- Remove (DELETE) the primary FTD from old FMC
- Shutdown the primary FTD interfaces on Chassis except the management. Disable all Port Channel Interfaces form 9300 Chassis Management portal if present.
- Attach (REGISTER) the primary FTD to the new FMC
- Do all the Device Management Config
- Interfaces – ADD Port Channels and ENABLE if exists
- Routing – ADD Static Routes
- Verify the Device (Model, Routed, Mgmt), cross check
- Verify the Summary for License
- Assigning all the policies and deploy.
NOTE: Since the interfaces on Chassis are shutdown, the primary FTD won’t take traffic. If the interfaces are not shut on Primary FTD Chassis, it can cause split brain and cause a major outage after deployment
- Compare the Config of primary and secondary FTDs (one that is passing the traffic). Re-Verify all TABs.
- Once the config is good on primary FTD.
- Shutdown the secondary FTD interfaces from 9300 Chassis Management portal
- Enable the primary FTD interfaces 9300 Chassis Management portal
- Here we will have small amount of downtime
- Clear the arp on switch/adjacent devices. All the traffic should be passing through the primary FTD now.
- Validate all applications and verify the traffic on primary FTD, if all looks good then proceed further with step 22.
- Remove (DELETE) the secondary FTD from old FMC
- Attach (REGISTER) the secondary FTD to the new FMC
- Create HA with group, as Primary and Secondary FTD
- Update secondary interface IP Address and disable monitoring for time being
- Verify all Device Management Config with captured screen shots and then push the policy
- Re-verify all Device Management Config and Health alerts, then Enable Monitoring
- One last time push the policy and validate the applications.
- Verify the Logging with events.