About Secure Firewall Migration Tool
The Secure Firewall migration tool enables you to migrate your firewall configurations to a supported Secure Firewall Threat Defense managed by a management center. The migration tool supports migration from Secure Firewall ASA, ASA with FirePOWER Services (FPS), FDM-managed devices as well as third-party firewalls from Check Point, Palo Alto Networks, and Fortinet.
This document provides critical and release-specific information about the Secure Firewall migration tool. Even if you are familiar with Secure Firewall releases and have previous experience with the migration process, we recommend that you read and thoroughly understand this document.
New Features
Release Version |
New Features |
---|---|
6.0.1 |
Cisco Secure Firewall ASA to Threat Defense Migration You can now optimize network and port objects when you migrate configurations from Secure Firewall ASA to threat defense. Review these objects in their respective tabs in the Optimize, Review and Validate Configuration page and click Optimize Objects and Groups to optimize your list of objects before migrating them to the target management center. See Optimize, Review, and Validate the Configuration in the Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat Defense with the Migration Tool guide for more information. |
FDM-Managed Device to Cisco Secure Firewall Threat Defense Migration You can now migrate DHCP, DDNS, and SNMPv3 configurations from your FDM-managed device to a threat defense device. Ensure you check the DHCP checkbox and Server, Relay, and DDNS checkboxes on the Select Features page. See Optimize, Review, and Validate the Configuration in the Migrating an FDM-Managed Device to Cisco Secure Firewall Threat Defense with the Migration Tool guide for more information. |
|
Fortinet Firewall to Cisco Secure Firewall Threat Defense Migration You can now migrate URL objects from a Fortinet firewall to your threat defense device. Review the URL Objects tab in the Objects tab in Optimize, Review and Validate Configuration page during migration. See Optimize, Review, and Validate the Configuration in the Migrating Fortinet Firewall to Cisco Secure Firewall Threat Defense with the Migration Tool guide for more information. |
|
Palo Alto Networks Firewall to Cisco Secure Firewall Threat Defense Migration You can now migrate URL objects from a Palo Alto Networks firewall to your threat defense device. Ensure you review the URL Objects tab in the Objects window in Optimize, Review and Validate Configuration page during migration. See Optimize, Review, and Validate the Configuration in the Migrating Palo Alto Networks Firewall to Cisco Secure Firewall Threat Defense with the Migration Tool guide for more information. |
|
Check Point Firewall to Cisco Secure Firewall Threat Defense Migration You can now migrate port objects, FQDN objects, and object groups from a Check Point Firewall to your threat defense device. Review the Objects tab in Optimize, Review and Validate Configuration page during migration. See Optimize, Review, and Validate the Configuration in the Migrating Check Point Firewall to Cisco Secure Firewall Threat Defense with the Migration Tool guide for more information. |
|
6.0.0.1 |
This patch release contains bug fixes. |
6.0 |
Cisco Secure Firewall ASA to Threat Defense Migration
See Specify Destination Parameters in the Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat Defense with the Migration Tool guide to know how to select this feature for migration. |
FDM-managed Device to Threat Defense Migration
See Specify Destination Parameters in the Migrating an FDM-Managed Device to Secure Firewall Threat Defense with the Migration Tool guide to know how to select this feature for migration. |
|
Check Point Firewall to Threat Defense Migration
See Specify Destination Parameters in the Migrating Check Point Firewall to Secure Firewall Threat Defense with the Migration Tool guide to know how to select this feature for migration. |
|
Fortinet Firewall to Threat Defense Migration
See Optimize, Review, and Validate the Configuration in Migrating Fortinet Firewall to Secure Firewall Threat Defense with the Migration Tool guide for more information. |
For information on the history of Secure Firewall migration tool, see:
Supported Configurations
The following configuration elements are supported for migration:
-
Network objects and groups
-
Service objects, except for those service objects configured for a source and destination
Note
Although the Secure Firewall migration tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality.
-
Service object groups, except for nested service object groups
Note
Because nesting is not supported on the management center, the Secure Firewall migration tool expands the content of the referenced rules. The rules, however, are migrated with full functionality.
-
IPv4 and IPv6 FQDN objects and groups
-
IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)
-
Access rules that are applied to interfaces in the inbound direction and global ACL
-
Auto NAT, Manual NAT, and object NAT (conditional)
-
Static routes, ECMP routes, and PBR
-
Physical interfaces
-
Secondary VLANs on ASA or ASA with FirePOWER Services interfaces will not migrate to threat defense.
-
Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)
-
Port channels
-
Virtual tunnel interface (VTI)
-
Bridge groups (transparent mode only)
-
IP SLA Monitor
The Secure Firewall migration tool creates IP SLA objects, maps the objects with the specific static routes, and migrates these objects to management center.
Note
IP SLA Monitor is not supported for non-threat defense flow.
-
Object Group Search
Note
-
Object Group Search is unavailable for management center or threat defense version earlier than 6.6.
-
Object Group Search will not be supported for non-threat defense flow and will be disabled.
-
-
Time-based objects
Note
-
You must manually migrate timezone configuration from source ASA, ASA with FirePOWER Services, and FDM-managed device to target threat defense.
-
Time-based object is not supported for non-threat defense flow and will be disabled.
-
Time-based objects are supported on management center version 6.6 and above.
-
-
Site-to-Site VPN Tunnels
-
Site-to-Site VPN—When the Secure Firewall migration tool detects crypto-map configuration in the source ASA and FDM-managed device, the Secure Firewall migration tool migrates the crypto-map to management center VPN as point-to-point topology
-
Site-to-site VPN from Palo Alto Networks and Fortinet firewalls
-
Crypto map (static/dynamic) based VPN from ASA and FDM-managed device
-
Route-based (VTI) ASA and FDM VPN
-
Certificate-based VPN migration from ASA, FDM-managed device, Palo Alto Networks, and Fortinet firewalls.
-
ASA, FDM-managed device, Palo Alto Networks, and Fortinet trustpoint or certificates migration to management center must be performed manually and is part of the pre-migration activity.
-
-
Dynamic Route objects, BGP, and EIGRP
-
Policy-List
-
Prefix-List
-
Community-List
-
Autonomous System (AS)-Path
-
Route-Map
-
-
Remote Access VPN
-
SSL and IKEv2 protocol.
-
Authentication methods—AAA only, Client Certificate only, SAML, AAA, and Client Certificate.
-
AAA—Radius, Local, LDAP, and AD.
-
Connection Profiles, Group-Policy, Dynamic Access Policy, LDAP Attribute Map, and Certificate Map.
-
Standard and Extended ACL.
-
RA VPN Custom Attributes and VPN load balancing
-
As part of pre-migration activity, perform the following:
-
Migrate the ASA, FDM-managed device, Palo Alto Networks, and Fortinet firewall trustpoints manually to the management center as PKI objects.
-
Retrieve AnyConnect packages, Hostscan Files (Dap.xml, Data.xml, Hostscan Package), External Browser package, and AnyConnect profiles from the source ASA and FDM-managed device.
-
Upload all AnyConnect packages to the management center.
-
Upload AnyConnect profiles directly to the management center or from the Secure Firewall migration tool.
-
Enable the ssh scopy enable command on the ASA to allow retrieval of profiles from the Live Connect ASA.
-
-
-
ACL optimization
ACL optimization supports the following ACL types:
-
Redundant ACL—When two ACLs have the same set of configurations and rules, then removing the non-base ACL will not impact the network.
-
Shadow ACL—The first ACL completely shadows the configurations of the second ACL.
Note
ACL optimization is currently not available for Palo Alto Networks and ASA with FirePower Services (FPS).
-
For information on the supported configurations of the Secure Firewall migration tool, see:
Migration Workflow
For information on the migration workflow of the Secure Firewall migration tool, see:
Migration Reports
The Secure Firewall migration tool provides the following reports in HTML format with details of the migration:
-
Pre-Migration Report
-
Post-Migration Report
Secure Firewall Migration Tool Capabilities
The Secure Firewall migration tool provides the following capabilities:
-
Validation throughout the migration, including parse and push operations
-
Object re-use capability
-
Object conflict resolution
-
Interface mapping
-
Auto-creation or reuse of interface objects (ASA name if to security zones and interface groups mapping)
-
Auto-creation or reuse of interface objects
-
Auto-zone mapping
-
User-defined security zone and interface-group creation
-
User-defined security zone creation
-
Subinterface limit check for the target threat defense device
-
Platforms supported:
-
ASA Virtual to Threat Defense Virtual
-
FDM Virtual to Threat Defense Virtual
-
Same hardware migration (X to X device migration)
-
X to Y device migration (Y having higher number of interfaces)
-
-
ACL optimization for source ASA, FDM-managed device, Fortinet, and Checkpoint for ACP rule action.
Infrastructure and Platform Requirements
The Secure Firewall migration tool requires the following infrastructure and platform:
-
Windows 10 64-bit operating system or on a macOS version 10.13 or higher
-
Google Chrome as the system default browser
Tip
We recommend that you use full screen mode on the browser when using the migration tool.
-
A single instance of the Secure Firewall migration tool per system
-
Management Center and Threat Defense must be version 6.2.3.3 or later
Note |
Remove the previous build before downloading the newer version. |
Open and Resolved Issues
Open Issues
Bug ID |
Description |
---|---|
NAT configuration in Fortinet firewall is not getting parsed. |
|
A configuration push error in Fortinet migration occurs because of a special character. |
Resolved Issues
Bug ID |
Description |
---|---|
Error while pushing ASA VPN object - local variable payload. |
|
PAN preparsing summary shows 0 entries for all features. |
|
FDM migration to new hardware fails at push stage. |
|
Fortinet firewall VPN configurations are mapped with the same interfaces. |
|
Fortinet firewall migration fails with object group error at parsing. |
|
RA VPN tab in Fortinet firewall migration is not flashing as expected and the AnyConnect tab is blank. |
|
SNMP tab in ASA migration is not showing next page information even when more than 50 objects are migrated. |
|
Fortinet firewall migration fails with ACL parsing errors. |
|
FDM shared configuration migration fails with push failure for geolocation object. |
|
Fortinet RA VPN configuration object reuse is not working. |
Open and Resolved Caveats
The open caveats for this release can be accessed through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you don’t have one, you can register for an account on Cisco.com. For more information on Bug Search Tool, see Bug Search Tool Help. |
Use the Open and Resolved Caveats dynamic query for an up-to-date list of open and resolved caveats in Secure Firewall migration tool.
Related Documentation
-
Migrating ASA Firewall to Firewall Threat Defense with the Secure Firewall Migration Tool
-
Migrating an FDM-Managed Device to Secure Firewall Threat Defense with the Migration Tool
-
Migrating Check Point Firewall to Firewall Threat Defense with the Secure Firewall Migration Tool
-
Migrating Fortinet Firewall to Firewall Threat Defense with the Secure Firewall Migration Tool
-
Migrating an ASA to an FDM-Managed Device Using Cisco Defense Orchestrator
-
Navigating the Cisco Secure Firewall Migration Tool Documentation