Introduction:
Cisco Firewall Migration Tool is a free software image used for migration from Adaptive Security Appliance (ASA) 8.4 or later, Check Point (r75-r77.30 & r80 and later), Palo alto Network (6.1+) and Fortinet (5.0+) to Cisco Firepower Threat Defense (FTD). Firewall Migration Tool is available on CDO, as well available to be downloaded to run from Windows and MAC.
Q: What about enabling the migration tool on FMC?
A: Earlier, there was a 'migration mode' where you would use an FMC to migrate instead of an installable tool. Now, there is a separate tool that we need to use for migration. This tool connects to FMC and uses the REST APIs to migrate a configuration to FMC.
Q: How will it work if I have contexts created in my ASA?
A: You can upload the configuration and select one or multiple contexts for migration (context merging is possible). Alternatively, you can also connect to the ASA through 'Live Connect', fetch the configuration and choose which context to migrate.
Q: Do we need to establish any sic between FMT and Checkpoint (CP) ? or it will on https?
A: You can simply use "Live Connect" where users can enter the credentials of the CP firewall, and the tool will automatically retrieve the configuration for migration.
Q: What are the unsupported config/feature using FMT with ASA?
A: There is no such list of unsupported features. You can always refer to the user guide and release notes for supported and unsupported features. However, after running the migration tool on a selected source page, you will be able to see all the supported features based on your source selection.
Q: Will FMT also migrate URL objects?
A: Yes, URL object migration support is available for FDM, Fortinet and Palo Alto firewalls.
Q: What if we have ASA-X e.g. 5515-X sensors?
A: FMT does supports the migration for those sensors.
Q: How that FMT will help where you have ASA with multi-context and FTD with multi-instance?
A: FMT tool does support multi-context ASA to single instance FTD. however, it doesn’t support ASA with multi-context to multi-instance FTD.
Q: What about Checkpoint user authenticated rules?
A: Currently it is supported for LDAP based authentication for R80-81 version only.
Q: Is the migration tool a stand-alone software to be installed on local, or migration tool is in the cloud?
A: Migration tool is available for both standalone and on cloud (CDO).
Q: What steps should we take if the environment for running the Firewall Migration tool is airgapped?
A: Contact Cisco TAC and request the latest airgapped build of the Firewall Migration tool.
Q: What should we do if the Firewall migration tool console crashes?
A: Close the Firewall migration tool and relaunch it; you'll be given the option to resume the migration.
Q: What is the support mechanism if there are migration errors?
A: The Firewall migration tool is integrated with Cisco Success Network. If there are errors or issues, contact Cisco TAC
Q: Is there any dependency on management center to use the new features introduced in the Firewall migration tool?
A: Yes. The following features are supported with target management center 7.4 and later:
Q: Is there a dependency on the target FTD?
A: Yes. If the source configuration includes port channel interfaces, the destination FTD must be a physical device, not a virtual one.
Q: What should we do if we encounter a "No Response from server" error?
A: This error typically occurs when the migration tool crashes. Relaunch the tool and either click "Resume Migration" or restart the migration process.
