Migrate an ASA Configuration to a Firepower Threat Defense Configuration
- Prepare the ASA for Migration
- Install the Migration Tool
- Save the ASA Configuration File
- Convert the ASA Configuration File
- Import the Converted ASA Configuration
- Install Firepower Threat Defense
- Configure the Migrated Policies
Prepare the ASA for Migration
Step 1 | Verify that the ASA device meets the requirements for configuration migration; see ASA Device Requirements. |
Step 2 | Identify the access control lists (ACLs) and NAT policies you want to export. |
Step 3 | Determine how many entries are present in the ACL:
show access-list acl_name | i elements |
Step 4 | If the configuration contains more than 2000000 elements, prune as many inessential elements as possible. |
Install the Migration Tool
Caution | Do not install the migration tool on a production Firepower Management Center. Use of this tool is not supported on production devices. After installing the migration tool, you can uninstall the tool only by reimaging the designated Firepower Management Center. |
Save the ASA Configuration File
The migration tool can convert ASA configuration files in either the .cfg or .txt format.
Step 1 | Save the configuration.
The commands you use to save this configuration may differ depending on the version of your ASA device. For more information, see the version-appropriate ASA configuration guide, as listed in the ASA documentation roadmap at http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asaroadmap.html#pgfId-126642. |
Step 2 | Transfer the saved configuration file to a location accessible from the migration tool (for example, your local computer or a shared drive on your network). |
Convert the ASA Configuration File
Follow the steps below to convert the ASA configuration file (.cfg or .txt) to a Firepower configuration file (.sfo).
Caution | The migration tool UI is an extension of the Firepower Management Center UI. However, only the functionality described in this procedure is viable. |
Step 1 | In the migration tool, choose |
Step 2 | Click Upload Package. |
Step 3 | Click Browse, and choose the configuration file you exported from the ASA. |
Step 4 | Click Next. |
Step 5 | Choose the policy you want the system to use when converting access rules:
|
Step 6 | If you chose Prefilter Policy, choose the action you want the system to assign for access rules with a Permit action:
|
Step 7 | If you chose Access Control Policy, choose the action you want the system to assign rules with a Permit action:
|
Step 8 | Specify how you want the system to handle unsupported rules:
|
Step 9 | Choose the action the system should assign when converting access rules with logging enabled:
|
Step 10 | Choose Next. The system queues the migration as a task. You can view the status of the task in the Message Center. |
Step 11 | Click on the System Status icon to display the Message Center. |
Step 12 | Click on the Tasks tab.
The migration task is listed as the top message, because only migration tool tasks can be run on the intermediary Firepower Management Center. |
Step 13 | If the migration fails, review error messages in the appropriate logs; for more information, see Troubleshoot Conversion Failure. |
Step 14 | If the migration is successful:
|
Step 15 | Review the Migration Report.
The Migration Report summarizes which ASA configurations the migration tool could or could not successfully convert to Firepower Threat Defense configurations. Unsuccessfully converted configurations include:
For unsuccessfully converted configurations that have Firepower equivalents, you can manually add them after you import the converted policies onto your production Firepower Management Center. |
Troubleshoot Conversion Failure
If the conversion fails on the dedicated Firepower Management Center, the migration tool records error data in troubleshooting files you can download to your local computer.
Step 1 | Choose . |
Step 2 | In the Appliance column of the appliance list, click the name of the dedicated Firepower Management Center. |
Step 3 | Click Generate Troubleshooting Files. |
Step 4 | Check the All Data check box. |
Step 5 | Click Generate. The system queues troubleshooting file generation as a task. |
Step 6 | Track the task's progress by viewing it in the Message Center. |
Step 7 | After the system generates the troubleshooting files and the task status changes to Completed, click Click to retrieve generated files. |
Step 8 | Follow the directions from TAC to send the troubleshooting files to Cisco. |
Import the Converted ASA Configuration
In a multidomain deployment of a Firepower Management Center, the system assigns the converted ASA configuration to the domain where you import it. On import, the system populates the Domain fields in the converted objects.
Step 1 | On your production Firepower Management Center, choose | ||||||||||||||||
Step 2 | Click Upload Package. | ||||||||||||||||
Step 3 | Click Choose File, and use browse to choose the appropriate .sfo file on your local computer. | ||||||||||||||||
Step 4 | Click Upload. | ||||||||||||||||
Step 5 | Choose which policies you want to import. Policies may include access control policies, prefilter policies, or NAT policies, depending on your earlier migration choices. | ||||||||||||||||
Step 6 | Click Import. The system analyzes the file and displays the Import Conflict page. | ||||||||||||||||
Step 7 | On the Import Conflict page:
| ||||||||||||||||
Step 8 | Click Import. When the import is complete, the system displays a message directing you to the Message Center. | ||||||||||||||||
Step 9 | Click the System Status icon to display the Message Center. | ||||||||||||||||
Step 10 | Click the Tasks tab. | ||||||||||||||||
Step 11 | Click the link in the import task to download the import report. |
Install Firepower Threat Defense
|
Configure the Migrated Policies
This procedure describes high-level steps for configuring migrated policies on the Firepower Management Center. For more detailed information on each step, see the related procedure in the Firepower Management Center Configuration Guide.
Step 1 | Assign the interfaces on the Firepower Threat Defense device to the security zones or interface groups created during the conversion process.
| ||||||||||||
Step 2 | If you migrated the ASA access rules to an access control policy:
| ||||||||||||
Step 3 | If you migrated the ASA access rules to a prefilter policy:
| ||||||||||||
Step 4 | If you migrated a NAT policy:
| ||||||||||||
Step 5 | Optionally, configure next-generation firewall features, including application visibility and control, intrusion protection, URL filtering, and Advanced Malware Protection (AMP). | ||||||||||||
Step 6 | Deploy configuration changes; see Deploy Configuration Changes. |
Deploy Configuration Changes
Use the steps below to deploy the migrated configuration. For more information on the deploy process, see Deploying Configuration Changes in the Firepower Management Center Configuration Guide
Step 1 | On the Firepower Management
Center menu bar, click Deploy.
The Deploy Policies dialog lists devices with out-of-date configurations. The Version at the top of the dialog specifies when you last made configuration changes. The Current Version column in the device table specifies when you last deployed changes to each device. |
Step 2 | Identify and choose the devices where you want to deploy configuration changes.
|
Step 3 | Click Deploy. |
Step 4 | If the system identifies errors or warnings in the changes to be deployed, you have the following choices: |