Showing results for 
Search instead for 
Did you mean: 

Firepower Migration Tool - FAQ


This event had place on Thursday 20, August 2020 at 10hrs PDT 


This event provides a brief introduction to Firepower Migration Tool and its capabilities. Cisco Firepower Migration Tool is a free software image used for migration from Adaptive Security Appliance (ASA) 8.4 or later, Check Point (r75-r77.30 & r80 and later), and Palo alto Network (6.1+) to Cisco Firepower Threat Defense (FTD). The session includes an interactive live demonstration.

Featured Expert

shrinad.jpgShrinad Trivedi is a Consulting Engineer with Cisco’s Security team in Bangalore, India. He works with Cisco in the Network Security domain with Firewall and VPN products. He has delivered multiple trainings on handling third party migrations and firewall migration capabilities using Firepower Migration Tool. Shrinad holds a bachelor’s degree in information technology and a CCIE certification in Security (#45631).

adganjoo.jpgAditya Ganjoo is a Technical Marketing Engineer in Bangalore, India. He has been working with Cisco for the past nine years in security domains such as Firewall, VPN, and Authentication, Authorization, and Accounting (AAA). Aditya has delivered trainings on ASA and VPN technologies. He holds a bachelor’s degree in information technology and a CCIE certification in Security (CCIE#58938). He has been a consistent contributor on Cisco Community and has delivered multiple sessions at Cisco Live.

You can download the slides of the presentation in PDF format here.

Live Questions

Q:Can I use this windows tool to migrate any version of ASA? 8.1(0)

A:ASA version should be 8.4 and onwards.

Q:FTD is VM or physical box?

A:It can be the VM or a physical appliance. The migration tool (FMT) is installable for windows or macOS. Your target FTD (Firepower Threat Defense) firewall can be either VM or a physical appliance.

Q:What about enabling the migration tool on FMC?

A:The FMT tool uses the FMC rest API's to migrate a configuration to FMC.

Q:What can I do in this case, I have 2 FWs 8.1 (0) and 2 FWs 8.2 (1)?

A:You will need to upgrade the ASA images to 8.4 and onwards to use the FMT for migrating the firewall to FMC. 

Q:I have heard/read somewhere there is a way that you can also enable migration tool features on FMC. Is it true?

A:Earlier there has been a 'migration mode' where you would use an FMC to migrate (instead of an installable). This migration is not supported anymore, please use the currently presented FMT instead.

Q:Is there an alternative for deploying policies instead of using FMC?

A:If FTD is added to FMC then policy deployment can be done only via FMC.

Q:What is the CCO?

A:CCO is your login credentials.

Q:How it will work if I have contexts created in my ASA?

A:Currently only one context can be migrated at a time. You can upload each context configuration and migrate it to an FTD instance. Alternatively, you can also connect to the ASA through 'Live Connect' and you will be able to select which context to migrate and will be able to select the next context.

Q:Where can I download that version 8.4 because the download page is not available?

A:FMT Support ASA 8.4 + you can upgrade to the available version in Portal. You can download it from the CCO, if the image is not present you can reach out to Cisco TAC and they will help you out on how to proceed.

Q:We are allowed to download the FMT on the Cisco portal or we required to have special rights?

A:You can download the FMT from the Cisco portal, no special rights are required.

Q:Can the FMC be on production FMC which runs some other FTDs?

A:It can be either the lab FMC or the actual production FMC as per the need you can leverage the scenario depending upon your choice.

Q:Is there an alternative for deploying policies instead of using FMC?

A:In case the sensor is managed by the FMC, then there is absolutely no option. There is one box manager that is called as FDM, that is fire per device manager.

Q:FMT is a license?

A:It is a free installable for Windows or macOS and does not require a license.

Q:Currently it is supports, Cisco, checkpoint and PA, it’s not supports for Fortigate?

A:Yes, its support. The Fortigate is in the development phase, so the tool will support soon. We'll be sharing information on the beta testing program for you to get early access.

Q:What is OGS?

A:This is ASA feature called as Object group search to provide memory optimization. Please find additional detail in the release notes of FTD:

Q:Do we need to establish any sic between fmt and checkpoint ? or it will on https?

A:There is two option one is via uploading the config to the tool, the other is via Live connection, where user can enter the credentials of CP firewall and the tool will automatically retrieve the config and migrate.

Q:Will it disturb production FMC/FTD while working with the migration tool?

A:No, prefer to use a sperate credential of FMC on FMT.While working with the migration tool, you won't get any impact on production because the tool will push the configuration to FMC. Later you can deploy to FTD after verifying. We recommend doing the activity when there is minimal activity.

Q:Can I use the migration tool to target FTD (not FMC) and test it. After all, config looks good, export it to a text file, and copy/paste/import after firepower units will be registered with FMC in production.The FMT will allow us to push the config on FMC and selecting the FTD. After a successful push and evaluation, you can deploy the config from FMC to FTD.

A:In the demo, you'll see that there is a 'Review & Validate' page where you can review all objects, ACLs, etc. that are to be migrated. (Nothing will be migrated until you click "Push").Once the configuration is pushed to FMC, you still have the option to not deploy it to the target device if you encounter any issues.

Q:We FMT generates any kind of report during the migration or after completion of migration?

A:Yes, in two phases, one on the completion of the processing the config next is after the Push of the configuration.

Q:Is checkpoint Security Manager similar to FMC?

A:Yes, it is similar.

Q:How about anti-spoofing settings of Checkpoint?

A:Right now tool will mark the anti-spoofing setting as ignored and will not be migrated to FMC. The anti-spoofing section is unsupported and will be part of the Pre-migration report under "Unsupported Configurations for Objects".

Q:Can I target FTD instead of FMC in the lab and then somehow export verified config to txt file and later import it later. Since after changing FTD to FMC config will be erased.

A:You have to target FMC with FMT. Without targeting FMC FMT will not be able to perform any migration. An alternative to migrate to an FDM/API managed-FTD would be to migrate through CDO.

Q:Can you connect Live to Provider 1?

A:I hope what you meant for provider 1 is firewall manager, yes tool allows to connect via the tool.

Q:Is there any way to export config from FTD to text file and then import it back later when the device will be registered to FMC?

A:Once you add FTD with FMC, the configuration has to be pushed from FMC.

Q: Can someone pls post what are the unsupported config/feature using FMT with ASA?

A:As of now VPN, dynamic routing, HA. FMT will parse the config and generate a Pre-migration report, which will have Ignored and an unsupported section with details.

Q:Is there any way to download convert config from fmt and later push into FMC?

A:No. Tool will allow us to download the xl from the conversion standpoint to verify, but this xl can be used for verification to migrate, the user has to upload the config again from the scratch to migrate to FMC.

Q:I cannot use CLI to change configuration after device registered to FMC?

A: Unfortunately, no, FMC acts as a config manager for the FTD.

Q:What will happen in case FMC virtual machine became unavailable. During that time no configuration can be made on any firepower devices, is that correct?

A:That is correct, we suggest to check the health and the connectivity between the FMC and the tool.

Q:Is this also collect URL objects?

A: It supports Domain Objects. A typo error in the previous response, Correction - It Doesn't support Domain Objects.

Q:What if we have ASA-X eg 5515-X sensors?

A:Currently it is more of a manual effort, we are planning for integrating in the future with FMT.

Q: How that FMT will help where you have ASA with multi-context and FTD with multi-instance?

A:You can select one Context at a time in the FMt migration process to one FTD. Toll can extract the multi-context ASA config and list down the extracted context one by one, user can select one and do the migration, after migrating the selected one tool will give the option to continue migrating the rest one by one.

Q: What about Checkpoint user authenticated rules?

A: Currently Unsupported.

Q:How about Checkpoint negate rules?

A:Rule will be migrated as unsupported tag and in Disable state, where the Negate in either source / Destination or Service will replace with Any.

Q:We are having the demo for Palo Alto migration?

A:We have not planned with this session, but the steps are so similar for PAN as well.

Q:Is the migration tool a stand-alone software to be installed on local, or migration tool is in the cloud?

A:It is installed locally, not on the cloud.Firepower 9300 Security Appliance Release 2.2.0:

Related Information

Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (37%)

Content for Community-Ad