Prerequisites for Migrating Firewall Threat Defense to Cloud-Delivered Firewall Management Center

Before you begin the process, ensure that the following prerequisites are met:

  • DNS Server Configuration:

    The Firewall Threat Defenses must have the correct DNS server configuration to resolve Cloud-Delivered Firewall Management Center hostnames. For details about checking connectivity with Cloud-Delivered Firewall Management Center, see Check device connectivity with Cloud-Delivered Firewall Management Center.

  • Network Access:

    The required network access must be enabled for Firewall Threat Defenses to reach Cloud-Delivered Firewall Management Center through the TCP port 8305. Note that outbound connectivity from the Firewall Threat Defenses to Cloud-Delivered Firewall Management Center is sufficient.

  • Firewall Threat Defense Outbound Port 443:

    The Firewall Threat Defenses must be able to access port 443 and 8305 of Cloud-Delivered Firewall Management Center.

  • On-Premises Firewall Management Center Outbound Port 443:

    The on-premises Firewall Management Center must have access to outbound port 443 open to reach “*.cdo.cisco.com” domain.

  • The on-premises Firewall Management Center is onboarded to Security Cloud Control. Onboarding the on-premises Firewall Management Center also onboards all the Firewall Threat Defense devices registered to that on-premises Firewall Management Center. See Onboard an On-Prem FMC.

    Note

    Create a new user in the on-premises Firewall Management Center with Administrator role or a custom user role with "Devices" and "System" permissions for onboarding purposes.

    Caution

    If you onboard an on-premises Firewall Management Center to Security Cloud Control and simultaneously sign in to that on-premises Firewall Management Center with the same user name, the onboarding fails.

  • For the on-premises Firewall Management Center 1000/2500/4500 migration:

  • The Firewall Threat Defense devices must be synchronized and not have pending changes on them. The migration fails on a device if Security Cloud Control identifies pending changes on that device.

  • All peer devices in a site-to-site VPN topology must be online and have no pending deployment.

  • On-Premises Firewall Management Center should allow outbound HTTP/HTTPS to upload configurations to Amazon S3.

  • Security Cloud Control imports Syslog alert object used in the access control policy from the on-premises Firewall Management Center. If Security Cloud Control already contains an alert object with the same name but a different type (SNMP, Email), it is reused during configuration import.

    The user must check whether the Syslog object name matches the existing SNMP or Email alert object in Security Cloud Control. If the name matches, you must rename the Syslog object in the on-premises Firewall Management Center before starting the migration process.

  • If you attempt to migrate firewalls with modified system defined FlexConfig text objects from an on-premises Firewall Management Center to the Cloud-Delivered Firewall Management Center, the values of the modified system defined FlexConfig text objects are not migrated to the Cloud-Delivered Firewall Management Center, and the deployment will fail.

    To avoid this, perform these tasks before you start the migration:

    • Copy the modified system defined FlexConfig text object values from the on-premises Firewall Management Center to Cloud-Delivered Firewall Management Center before migration.

    • Initiate migration from on-premises Firewall Management Center to Cloud-Delivered Firewall Management Center after verifying the predefined FlexConfig text objects.

Points to remember

Policy and Object Name Conflicts:

If a policy in Cloud-Delivered Firewall Management Center shares the same name as one in on-premises Firewall Management Center (excluding network, port, URL, and VLAN objects), the cdFMC version will be retained. See Handling Shared Policies and Objects.

Policy and Object Updates:

After migration, policies and objects aren't auto-synced between on-premises Firewall Management Center and Cloud-Delivered Firewall Management Center. For phased migrations, you must update them manually.

Evaluation Period:

You can revert to on-premises Firewall Management Center within 14 days of migration. After that, changes are finalized automatically. See Revert the Threat Defense Management to On-Prem Firewall Management Center.

High availability failover link must be up

The high availability failover link should be up for a successful migration. Before initiating the migration process on Security Cloud Control, determine the health status of the failover link on the on-premises Firewall Management Center.

  1. Identify the failover interfaces of all HA pairs you want to migrate to Cloud-Delivered Firewall Management Center.

    1. Choose Devices > Device Management.

    2. Next to the device high-availability pair you want to edit, click Edit ( ).

    3. Click the High Availability tab.

    4. In the High Availability Link area, the Interface field shows the failover interface used in the pair.

    5. Identify the interfaces used for failover communication if there are multiple HA pairs for migration.

  2. Check the health status of the failover interfaces.

    1. Choose Devices > Device Management.

    2. Next to the device high-availability pair you want, click Health Monitor.

    3. In the left pane, expand the high availability pair to see the Firewall Threat Defense devices.

    4. Click the device indicated in the exclamation mark ( ).

    5. Click the Critical button at the top.

      The Interface Status shows the errors associated with interfaces.

    6. If the failover interface is down, the Interface ‘failover_interfacename’ has no link message is displayed.

      Note

      However, you can migrate the HA pair to Cloud-Delivered Firewall Management Center if you see any other data interface issues except for the failover interface.

    7. Rectify the issue and click Sync from onprem fmc now to obtain the latest changes on the device.