Migrate Firepower Threat Defense to Cloud-delivered Firewall Management Center

Available Languages

Download Options

  • PDF     (1.2 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.4 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.0 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 7, 2024
Document ID:222053

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to migrate a Firepower Thread Defense from an OnPrem FMC to Cloud-Delivered FMC.

    Prerequisites

    Requirements

    Cisco recommends knowledge of these topics:


    Cloud-Delivered Firepower Management Center (cdFMC)
    Cisco Defense Orchestrator (CDO)
    Secure Firepower Threat Defense (FTDv)
    Firepower Management Center (FMC)

    Components Used

    The information in this document is based on these software versions:

    • FTD 7.2.7
    • cdFMC 
    • FMC 7.4.1 

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Cisco Defense Orchestrator admin users can migrate threat defense devices to the cloud-delivered Firewall Management Center from on-prem management centers running Version 7.2 or later. In addition, you can migrate devices to the cloud-delivered Firewall Management Center from an on-prem management center 1000/2500/4500.

    Before you begin the migration process, it is important to upgrade the on-prem management center models to a CDO-supported version and onboarding it to CDO. Only after this step, you can proceed with the migration of the devices that are associated with the on-prem management center.

    Configure

    1.- Onboard the OnPrem FMC to the CDO tenant

    These pictures show the initial setup process needed to onboard your OnPrem FMC to your CDO tenant.

    From the CDO home menu, navigate to Tools & Services > Firewall Management Center. On the FIrepower Management Center page, notice there is a blue add button on the top right of the screen and select the add button.

    Image 1. Firepower Management Center page.Image 1. Firepower Management Center page.

    Select Firewall Management Center.

    Image 2. Services.Image 2. Services.

    Select Use Credentials.

    Image 3. Different methods to onboard an FMC.Image 3. Different methods to onboard an FMC.

    Name your FMC so it can be display in the CDO inventory. 

    Enter the FMC IP address, hostname or FQDN with the correct GUI port so the CDO can stablish a connection for the oboard process. 

    Image 4. FMC information.Image 4. FMC information.

    Enter your device credentials. 

    Image 5. FMC credentials.Image 5. FMC credentials.

    At this point, the onboarding process has started. Select Go To Services to display the process.

    Image 6. Start the onboarding process.Image 6. Start the onboarding process.

    The onboarding process is completed once you can see the status as synced.

    Image 7. The onboarding process is completedImage 7. The onboarding process is completed

    2.- Migrate the FTD device from the OnPrem FMC to cdFMC

    Once the OnPrem FMC onboarding process is completed we can start to migrate the FTD device. 

    Navigate to Tools & Services > Migrate FTD to cdFMC, on the Migrate FTD to cdFMC page, notice there is a blue add button on the top right of the screen, select the add button. 

    Image 8. Migrate FTD to cdFMC.Image 8. Migrate FTD to cdFMC.

    Select your FMC, this is the one from where you want to migrate your FTD. 

    Image 9. Select OnPrem FMC.Image 9. Select OnPrem FMC.

    Select the FTD that you want to migrate to cdFMC, you need to select a Commit Action  from the drop down menu.

    There are two options, Retain on Onprem FMC for Analysis or Delete FTD from OnPrem FMC.

    Image 10. Select Devices.Image 10. Select Devices.

    Notice there is a checkbox enabled by default to auto deploy the configuration to the FTD after successful migration. You have the option to disable the autodeploy task if you want to aply changes later.

    Select Migrate to cdFMC to start the migration process. 

    Image 11. Start the migration process.Image 11. Start the migration process.

    The migration process has now started, usallly it takes about 15 minutes to be completed.

    The migration process is completed once you can notice the status as successful.

    Image 12. The migration process is completedImage 12. The migration process is completed

    3.- Commit changes 

    The last step is to commit the migraiton changes. You have 14 days to commit migration changes, we recommend that you commit migration changes manually if you are convinced with your changes and not waiting for Cisco Defense Orchestrator to auto commit changes. The Commit Migration Changes window shows the remaining days to commit the migration to cloud-delivered Firewall Management Center or revert the device to on-prem management center.

    In order to commit changes, open the kebab menu on the rigth side of your screen, and select Commit Migration Changes.

    Image 13. Commit migration changes.Image 13. Commit migration changes.

    Validate that the Commit Action is correct, and select the device you want to commit changes.

    Image 14. Commit changes validation.Image 14. Commit changes validation.

    Commit changes has now started , ussually it takes about 15 minutes to be completed.

    Image 15. Commit changes in progress.Image 15. Commit changes in progress.

    The migration is completed once you can see the migration status as Succesful and the commit status as Comitted.

    Image 16. Migration process and commit changes completed.Image 16. Migration process and commit changes completed.

    Verify

    Navigate to Tools & Services > Firepower Manager Center, and validate that now the device number on your OnPrem FMC has decreased. 

    On the other hand, you can see how the device number of your cdFMC has increased, this means, the migration process is completed. 

    Image 17. Firepower Management Center list.Image 17. Firepower Management Center list.

    Login to your OnPrem FMC and validate the completed tasks, you can see how the FTD was migrated and unregistered from the OnPrem FMC.

    Image 18. OnPrem FMC tasks validation.Image 18. OnPrem FMC tasks validation.

    Related Information

    Revision History

    Revision Publish Date Comments
    2.0
    07-Jun-2024
    Initial Release
    1.0
    07-Jun-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Leonel Matus Climaco
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products