Supported On-Premises Firewall Management Center and Firewall Threat Defense Software Versions for Migration

Minimum supported versions

  • Minimum On-Premises Firewall Management Center: 7.2

  • Minimum Firewall Threat Defense: 7.2.x (not supported for Version 7.1)

Physical On-Premises Firewall Management Center 1000/2500/4500 Model-Managed Firewall Threat Defense

  • Migration is supported from physical FMC 1000/2500/4500 models.

  • Temporary upgrade from 7.0 to 7.4 is supported for migration purposes only. The On-Premises Firewall Management Center Version 7.4 is “unsupported for general operations,” but allowed as an interim step until migration completes. You can download the upgrade package here.

  • After migration, do the following:

    1. Return to On-Premises Firewall Management Center to a supported version after migration.

    2. Remove re-migrated devices.

    3. Reimage back to 7.2.x.

    4. Re-register the devices.

    Note

    Unzip (but do not untar) the upgrade package before uploading it to the On-Premises Firewall Management Center. To upgrade to Version 7.4, see Cisco Secure Firewall Management Center Upgrade Guide, Version 6.0-7.0.

We recommend upgrading the devices to Version 7.2.x before upgrading the On-Premises Firewall Management Center to Version 7.4.

Important

An upgrade is necessary because Version 7.0 On-Premises Firewall Management Centers do not support cloud device migration. Only Version 7.4 is supported during the migration and evaluation process. These On-Premises Firewall Management Centers cannot run intermediate versions. Only standalone and high availability Firewall Threat Defense devices running Version 7.0.3+ (7.0.5 recommended) are eligible for migration.

Firewall Threat Defense in a High Availability Pair

  • High availability pairs migrate as a single node.

  • Both active and standby Firewall Threat Defense devices migrate together.

Important

We highly recommend committing manager changes before performing advanced operations, like creating or breaking high availability configurations from the On-Premises Firewall Management Center on the devices being migrated. Carrying out these tasks during the evaluation period is unsupported and may lead to migration commit failure.

Firewall Management Center in a High Availability Pair

  • Onboard the active On-Premises Firewall Management Center and not the standby.

  • Use either the auto-onboarding method or the credentials method for onboarding the On-Premises Firewall Management Center.

Note

If you have already onboarded a standalone On-Premises Firewall Management Center and later configured it as a standby, delete the standby On-Premises Firewall Management Center and onboard the active one.

Points to Remember:

  • Auto-onboarding On-Premises Firewall Management Center Method

    • High availability break is not supported during the 14 days evaluation period.

      You can break high availability after changes are committed, manually or automatically, after the evaluation period.

    • High availability switchover is supported during the 14 days evaluation period.

  • Onboarding On-Premises Firewall Management Center Method Using Credentials

    • High availability break and high availability switchover are not supported during the 14 days evaluation period. You can perform these operations after committing the changes manually or automatically after the evaluation period.

    • After a switchover, onboard the new active unit, which was previously in standby mode, and then start a migration job on the devices.

Note

During the 14-day evaluation period after migrating a Firewall Threat Defense device, if you have performed advanced operations on the device, such as converting it to a multi-instance chassis, note that the evaluation period becomes nullified, and you will not be able to revert the device management back to the On-Premises Firewall Management Center.

If you want to manage a multi-instance chassis using Cloud-Delivered Firewall Management Center, onboard the chassis manually to Security Cloud Control.

Firewall Threat Defense Cluster

Firewall Threat Defense cluster migration is supported on these platforms with minimum versions:

Platforms

Minimum Firewall Threat Defense

Minimum On-Premises Firewall Management Center Version

VMware, KVM

7.2.1

7.4.1

AWS, GCP

7.2.1

7.4.1

Azure

7.3

7.4.1

Secure Firewall 3100

7.2.1

7.4.1

Firepower 4100

7.2.x

7.4.1

Secure Firewall 4200

7.4

7.4.1

Firepower 9300

7.2.x

7.4.1
Important

Before migrating the Firewall Threat Defense cluster, remember the following points:

  • Do not migrate the Firewall Threat Defense cluster during clustering-related operations from the On-Premises Firewall Management Center.

  • After migration, manually commit manager changes before performing advanced operations, such as adding a node, breaking a node, or breaking a cluster from the on-premises Firewall Management Center. Performing such tasks during the evaluation period may result in migration commit failure.

Migration Support for Multi-instance Firewall Threat Defense Devices

You can migrate a multi-instance Firewall Threat Defense device that is part of a chassis (Secure Firewall 3100). The multi-instance device gets listed as one of the devices in the Select Devices page, and you can choose it to proceed with the migration. This migration is supported in Firewall Threat Defense device versions 7.6 or later.

If you decide to do such a multi-instance Firewall Threat Defense device migration, it is strongly recommended that you unregister the corresponding chassis device manually from the on-premises Firewall Management Center and onboard it to Security Cloud Control, by navigating to the Security Devices page.