Before You Begin Migration
Before you begin the process, ensure that the following prerequisites are met:
-
A provisioned Security Cloud Control tenant is registered with a Smart License.
-
DNS Server Configuration:
The threat defenses must have correct DNS server configuration to resolve cloud-delivered Firewall Management Center hostnames. To check device connectivity with cloud-delivered Firewall Management Center, see Check device connectivity with cloud-delivered Firewall Management Center.
-
Network Access:
The required network access is enabled for threat defenses to reach cloud-delivered Firewall Management Center through the TCP port 8305. Note that outbound connectivity from the threat defenses to cloud-delivered Firewall Management Center is sufficient.
-
Threat Defense Outbound Port 443:
The threat defenses must have outbound port 443 open to access cloud to use Security Cloud Control event viewer.
-
On-Premises Management Center Outbound Port 443:
The on-premises management center must have outbound port 443 open to access the “*.cdo.cisco.com” domain.
-
The on-premises management center is onboarded to Security Cloud Control. Onboarding the on-premises management center also onboards all the threat defense devices registered to that on-premises management center. See Onboard an On-Prem FMC.
NoteCreate a new user in the on-premises management center with Administrator role or a custom user role with "Devices" and "System" permissions for onboarding purposes.
CautionIf you onboard an on-premises management center to Security Cloud Control and simultaneously sign in to that on-premises management center with the same user name, the onboarding fails.
-
For the on-premises management center 1000/2500/4500 migration:
-
Run Version 7.4 (available for these models on a temporary basis). We recommend devices be running Version 7.0.5.
-
We recommend that you create a backup of on-premises management center.
For versions on-premises management center Version 6.5 to 7.1, see the Back up the FMC topic in the Firepower Management Center Configuration Guide.
For on-premises management center Version 7.2 and later, see the Back up the Management Center topic in the Cisco Secure Firewall Management Center Administration Guide.
-
-
The threat defense devices must be synchronized and not have pending changes on them. The migration fails on a device if Security Cloud Control identifies pending changes on that device.
-
All peer devices in a site-to-site VPN topology must be online and have no pending deployment.
-
On-Premises Management Center should allow outbound HTTP/HTTPS to upload configurations to Amazon S3.
-
Security Cloud Control imports Syslog alert object used in the access control policy from the on-premises management center. If Security Cloud Control already contains an alert object with the same name but a different type (SNMP, Email), it is reused during configuration import.
The user must check whether the Syslog object name matches the existing SNMP or Email alert object in Security Cloud Control. If the name matches, you must rename the Syslog object in the on-premises management center before starting the migration process.
-
If you attempt to migrate firewalls with modified system defined FlexConfig text objects from an on-premises management center to the cloud-delivered Firewall Management Center, the values of the modified system defined FlexConfig text objects are not migrated to the cloud-delivered Firewall Management Center, and the deployment will fail.
To avoid this, perform these tasks before you start the migration:
-
Copy the modified system defined FlexConfig text object values from the on-premises management center to cloud-delivered Firewall Management Center before migration.
-
Initiate migration from on-premises management center to cloud-delivered Firewall Management Center after verifying the predefined FlexConfig text objects.
-
High Availability Failover Link Must Be Up
The high availability failover link should be up for a successful migration. Before initiating the migration process on Security Cloud Control, determine the health status of the failover link on the on-premises management center.
-
Identify the failover interfaces of all HA pairs you want to migrate to cloud-delivered Firewall Management Center.
-
Choose Devices > Device Management.
-
Next to the device high-availability pair you want to edit, click Edit ( ).
-
Click the High Availability tab.
-
In the High Availability Link area, the Interface field shows the failover interface used in the pair.
-
Identify the interfaces used for failover communication if there are multiple HA pairs for migration.
-
-
Check the health status of the failover interfaces.
-
Choose Devices > Device Management.
-
Next to the device high-availability pair you want, click Health Monitor.
-
In the left pane, expand the high availability pair to see the threat defense devices.
-
Click the device indicated in the exclamation mark ( ).
-
Click the Critical button at the top.
The Interface Status shows the errors associated with interfaces.
-
If the failover interface is down, the Interface ‘failover_interfacename’ has no link message is displayed.
NoteHowever, you can migrate the HA pair to cloud-delivered Firewall Management Center if you see any other data interface issues except for the failover interface.
-
Rectify the issue and click Sync from onprem fmc now to obtain the latest changes on the device.
-