Migration Guidelines and Limitations for VPN Configuration

Keep the following in mind when you migrate a device with VPN configuration.

Migration guidelines for Remote Access VPN

Security Cloud Control Firewall Management imports all remote access VPN policy settings, with the following exceptions:

  • Object overrides are not migrated.

    If overrides are used in the address pool object, manually add them to the imported object in Security Cloud Control Firewall Management after migration. See Object Overrides.

  • Local users.

    If the authentication server uses a local database, the associated local realm object is imported into Security Cloud Control Firewall Management. However, you must manually add the local users to the imported local realm object after migration. See Create a Realm and Realm Directory.

  • Load-balancing configuration is not migrated.

  • Certificate enrollment with domain configuration.

    Perform the following after migration to enroll the certificate with domain configuration:

    1. Choose Security Devices.

    2. Select the migrated FTD and in the Device Management on the right, click Device Overview.

    3. Choose Devices > Certificates.

      Perform one of the following tasks:

      • If the certificates are imported in an Error state, click the Refresh certificate status icon to synchronize the certificate status with the device. The certificate status turns green.

      • If the certificates are not imported, you must manually add the certificates defined in the Remote Access VPN policy that is configured in the Firewall Management Center.

Migration guidelines for Site-to-Site VPN

  • After selecting a Firewall Threat Defense device, all peers are automatically selected from various topologies, as all devices within a topology must migrate together.

  • Migration wizard doesn't list the extranet devices that are associated with them, but they will still be automatically included during the migration process.

All settings will be migrated, with the following exceptions:

  • Network object overrides are not migrated. They must be manually added to the imported object in Security Cloud Control Firewall Management after migration. See Object Overrides.

  • If the authentication type configured as Preshared Automatic Key in the On-Premises Firewall Management Center:

    • Cloud-Delivered Firewall Management Center generates new pre-shared key post-deployment.

    • Existing tunnels remain active.

    • New tunnels use newly generated key.

  • If devices are moved to Security Cloud Control Firewall Management but the changes are not yet committed, the associated site-to-site VPN policy can still be modified in the On-Premises Firewall Management Center, however, it those changes do not update the device configuration in Security Cloud Control Firewall Management.

  • Devices configured for SASE tunnels on Cisco Umbrella are not migrated.