7.0.1
|
This release includes the following new features and enhancements:
-
You can now migrate configurations from your Cisco firewalls such as ASA and FDM-managed devices and third-party firewalls
to Cisco Secure Firewall 1200 Series devices.
See: Cisco Secure Firewall 1200 Series
-
You can now update the preshared keys for more than one site-to-site VPN tunnel configuration at once. Export the site-to-site
VPN table in the Optimize, Review and Validate Configuration page to an Excel sheet, specify the preshared keys in the respective cells, and upload the sheet back. The migration tool
reads the preshared keys from the Excel and updates the table.
See: Optimize, Review, and Validate the Configuration
Supported migrations: All
-
You can now choose to ignore migration-hindering, incorrect configurations and still continue the final push of a migration.
Previously, the whole migration failed even if a single object's push failed because of errors. You also now have the control
to abort the migration manually to fix the error and retry migration.
See: Push the Migrated Configuration to Management Center
Supported migrations: All
-
The Secure Firewall migration tool now detects existing site-to-site VPN configurations in the target threat defense device
and prompts you to choose if you want them deleted, without having to log in to the management center. You could choose No and manually delete them from the management center to continue with the migration.
See: Optimize, Review, and Validate the Configuration
Supported migrations: All
-
If you have an existing hub and spoke topology configured on one of the threat defense devices managed by the target management
center, you could choose to add your target threat defense device as one of the spokes to the existing topology right from
the migration tool, without having to manually do it on the management center.
See: Optimize, Review, and Validate the Configuration
Supported migrations: Secure Firewall ASA
-
When migrating thrid-party firewalls, you can now select threat defense devices as target, which are part of a high availability
pair. Previously, you could only choose standalone threat defense devices as target devices.
Supported migrations: Palo Alto Networks, Check Point, and Fortinet firewall migrations
-
The Secure Firewall migration tool now provides a more enhanced, intuitive demo mode, with guided migration instructions at
every step. In addition, you can also see versions of target threat defense devices to choose and test based on your requirements.
Supported migrations: All
|
7.0 |
This release includes the following new features and enhancements:
Cisco Secure Firewall ASA to Cisco Secure Firewall Threat Defense Migration
-
You can now configure a threat defense high availability (HA) pair on the target management center and migrate configurations
from a Secure Firewall ASA HA pair to the management center. Choose Proceed with HA Pair Configuration on the Select Target page and choose an active and a standby device. When selecting the active threat defense device, ensure you have an identical
device on the management center for the HA pair configuration to be successful. See Specify Destination Parameters for the Secure Firewall Migration Tool in the Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat Defense with the Migration Tool book for more information.
-
You can now configure a site-to-site hub and spoke VPN topology using threat defense devices when migrating site-to-site VPN
configurations from an ASA device. Click Add Hub & Spoke Topology under Site-to-Site VPN Tunnels on the Optimize, Review and Validate Configuration page. See Optimize, Review, and Validate the Configuration in the Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat Defense with the Migration Tool book for more information.
Fortinet Firewall to Cisco Secure Firewall Threat Defense Migration
|
6.0.1
|
This release includes the following new features and enhancements:
Cisco Secure Firewall ASA to Cisco Secure Firewall Threat Defense Migration
-
You can now optimize network and port objects when you migrate configurations from Secure Firewall ASA to threat defense.
Review these objects in their respective tabs in the Optimize, Review and Validate Configuration page and click Optimize Objects and Groups to optimize your list of objects before migrating them to the target management center. The migration tool identifies objects
and groups that have the same value and prompts you to choose which to retain. See Optimize, Review, and Validate the Configuration for more information.
FDM-managed Device to Cisco Secure Firewall Threat Defense Migration
-
You can now migrate DHCP, DDNS, and SNMPv3 configurations from your FDM-managed device to a threat defense device. Ensure
you check the DHCP checkbox and Server, Relay, and DDNS checkboxes on the Select Features page. See Optimize, Review, and Validate the Configuration for more information.
Fortinet Firewall to Cisco Secure Firewall Threat Defense Migration
-
You can now migrate URL objects in addition to other object types from a Fortinet firewall to your threat defense device.
Review the URL Objects tab in the Objects window in Optimize, Review and Validate Configuration page during migration. See Optimize, Review, and Validate the Configuration for more information.
Palo Alto Networks Firewall to Cisco Secure Firewall Threat Defense Migration
-
You can now migrate URL objects in addition to other object types from a Palo Alto Networks firewall to your threat defense
device. Ensure you review the URL Objects tab in the Objects window in Optimize, Review and Validate Configuration page during migration. See Optimize, Review, and Validate the Configuration for more information.
Check Point Firewall to Cisco Secure Firewall Threat Defense Migration
-
You can now migrate port objects, FQDN objects, and object groups from a Check Point Firewall to your threat defense device.
Review the Objects window in Optimize, Review and Validate Configuration page during migration. See Optimize, Review, and Validate the Configuration for more information.
|
6.0
|
This release includes the following new features and enhancements:
Cisco Secure Firewall ASA to Cisco Secure Firewall Threat Defense Migration
-
You can now migrate WebVPN configurations on your Secure Firewall ASA to Zero Trust Access Policy configurations on a threat
defense device. Ensure that you check the WebVPN checkbox in Select Features page and review the new WebVPN tab in the Optimize, Review and Validate Configuration page. The threat defense device and the target management center must be running on Version 7.4 or later and must be operating
Snort3 as the detection engine.
-
You can now migrate Simple Network Management Protocol (SNMP) and Dynamic Host Configuration Protocol (DHCP) configurations
to a threat defense device. Make sure that you check the SNMP and DHCP checkboxes in the Select Features page. If you have configured DHCP on your Secure Firewall ASA, note that the DHCP server, or relay agent and DDNS configurations
can also be selected to be migrated.
-
You can now migrate the equal-cost multipath (ECMP) routing configurations when performing a multi-context ASA device to a
single-instance threat defense merged context migration. The Routes tile in the parsed summary now includes ECMP zones also, and you can validate the same under the Routes tab in the Optimize, Review and Validate Configuration page.
-
You can now migrate dynamic tunnels from the dynamic virtual tunnel interface (DVTI) configurations from your Secure Firewall
ASA to a threat defense device. You can map them in the Map ASA Interfaces to Security Zones, Interface Groups, and VRFs page. Ensure that your ASA Version is 9.19 (x) and later for this feature to be applicable.
FDM-managed Device to Cisco Secure Firewall Threat Defense Migration
-
You can now migrate the Layer 7 security policies including SNMP and HTTP, and malware and file policy configurations from
your FDM-managed device to a threat defense device. Ensure that the target management center Version is 7.4 or later and that
Platform Settings and File and Malware Policy checkboxes in Select Features page are checked.
Check Point Firewall to Cisco Secure Firewall Threat Defense Migration
-
You can now migrate the site-to-site VPN (policy-based) configurations on your Check Point firewall to a threat defense device.
Note that this feature applies to Check Point R80 or later versions, and management center and threat defense Version 6.7
or later. Ensure that the Site-to-Site VPN Tunnels checkbox is checked in the Select Features page. Note that, because this is a device-specific configuration, the migration tool does not display these configurations
if you choose to Proceed without FTD.
Fortinet Firewall to Cisco Secure Firewall Threat Defense Migration
-
You can now optimize your application access control lists (ACLs) when migrating configurations from a Fortinet firewall to
your threat defense device. Use the Optimize ACL button in the Optimize, Review and Validate Configuration page to see the list of redundant and shadow ACLs and also download the optimization report to see detailed ACL information.
|
5.0.1 |
This release includes the following new features and enhancements:
-
The Secure Firewall migration tool now supports migration of multiple transparent firewall-mode security contexts from Secure
Firewall ASA devices to threat defense devices. You can merge two or more transparent firewall-mode contexts that are in your
Secure Firewall ASA device to a transparent-mode instance and migrate them.
In a VPN-configured ASA deployment where one or more of your contexts have VPN configurations, you can choose only one context
whose VPN configuration you want to migrate to the target threat defense device. From the contexts that you have not selected,
only the VPN configuration is ignored and all other configurations are migrated.
See Select the ASA Security Context for more information.
-
You can now migrate site-to-site and remote access VPN configurations from your Fortinet and Palo Alto Networks firewalls
to threat defense using the Secure Firewall migration tool. From the Select Features pane, select the VPN features that you want to migrate. See the Specify Destination Parameters for the Secure Firewall Migration
Tool section in Migrating Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Migration Tool and Migrating Fortinet Firewall to Secure Firewall Threat Defense with the Migration Tool guides.
-
You can now select one or more routed or transparent firewall-mode security contexts from your Secure Firewall ASA devices
and perform a single-context or multi-context migration using the Secure Firewall migration tool.
|
5.0 |
-
Secure Firewall migration tool now supports migration of multiple security contexts from Secure Firewall ASA to threat defense
devices. You can choose to migrate configurations from one of your contexts or merge the configurations from all your routed
firewall mode contexts and migrate them. Support for merging configurations from multiple transparent firewall mode contexts
will be available soon. See Select the ASA Primary Security Context for more information.
-
The migration tool now leverages the virtual routing and forwarding (VRF) funtionality to replicate the segregated traffic
flow observed in a multi-context ASA environment, which will be part of the new merged configuration. You can check the number
of contexts the migration tool has detected in a new Contexts tile and the same after parsing, in a new VRF tile in the Parsed Summary page. In addition, the migration tool displays the interfaces to which these VRFs are mapped, in the Map Interfaces to Security Zones and Interface Groups page.
-
You can now try the whole migration workflow using the new demo mode in Secure Firewall migration tool and visualize how your
actual migration looks like. See Using the Demo Mode in Firewall Migration Tool for more information.
-
With new enhancements and bug fixes in place, Secure Firewall migration tool now provides an improved, faster migration experience
for migrating Palo Alto Networks firewall to threat defense.
|
4.0.3 |
The Secure Firewall migration tool 4.0.3 includes bug fixes and the following new enhancements:
|
4.0.2
|
The Secure Firewall migration tool 4.0.2 includes the following new features and enhancements:
-
The migration tool now has an always-on telemetry; however, you can now choose to send limited or extensive telemetry data.
Limited telemetry data inludes few data points, whereas extensive telemetry data sends a more detailed list of telemetry data.
You can change this setting from .
|
4.0.1
|
The Secure Firewall migration tool 4.0.1 includes the following new features and enhancements:
The Secure Firewall migration tool now analyzes all objects and object groups based on both their name and configuration,
and reuses objects that have the same name and configuration. Only network objects and network object groups were analyzed
based on their name and configuration before. Note that the XML profiles in remote access VPNs are still validated only using
their name.
|
4.0
|
Secure Firewall migration tool 4.0 supports:
Migration of FDM-managed device to management center provided the destination management center version is 7.3 or later and
the source device manager version is 7.2 or later.
The version of the device manager must be equal to or lower than the version of the destination management center.
The following options are available for the migration:
-
Migrate Firepower Device Manager (Shared Configurations only): This option allows you to migrate staged migrations. In this case, you can initially migrate all shared configurations and
migrate the device configurations at a later stage as per your requirements. During the migration process, only the shared
configurations are migrated to the targeted management center. The configuration bundle obtained from the device manager can
be uploaded or the device manager credentials can be provided for the tool to fetch the configuration details. Automated fetching
of the configuration details is the preferred method.
-
Migrate Firepower Device Manager (Includes Device and Shared configurations): This option allows you to migrate both, the device and the shared configurations from the device manager to the targeted
management center. Once the source device and its configuration are migrated to the targeted management center, the FDM-managed
device becomes the targeted management center device. For the tool to fetch the configuration details, you must provide the
device manager credentials. Only an automated fetching of the configurations is allowed for this migration option.
-
Migrate Firepower Device Manager (Includes Device and Shared Configurations) to FTD Device (New Hardware): This option allows you to migrate both, the device and the shared configuration to a threat defense device managed by the
targeted management center. In this case, during the migration process, the source device is not migrated and only the device
configuration is migrated to the new threat defense device. The configuration bundle obtained from the device manager can
be uploaded or the device manager credentials can be provided for the tool to fetch the configuration details. Automated fetching
of the configuration details is the preferred method.
|