Migrate a Secure Firewall Threat Defense

Before you begin

Ensure you review Prerequisites for Migration and Guidelines and Limitations for Migration.

Procedure

Step 1

Choose Firewall Devices > Device Management.

Step 2

Click Migrate in the top right corner of the page.

Step 3

In Select source and target devices:

  1. From the Source device drop-down list, choose a device.

  2. From the Target device drop-down list, choose a device.

The source and target devices can have these tags:

  • Routed: Devices in routed firewall mode.

  • Transparent: Devices in transparent firewall mode.

  • Container: Devices in multi-instance mode.

  • High Availability: Devices in high availability mode.

  • Analytics Only: Devices managed by Security Cloud Control and the Firewall Management Center only recieves and displays the events (analytics-only Firewall Management Center).

If the device is part of an HA pair, only the HA pair name appears.

Step 4

Click Next.

Step 5

(Only for Firepower 4100 and 9300 Series devices in appliance mode) In Chassis manager details:

  1. Check the Skip chassis manager check box, if required.

  2. In the Chassis hostname or IP address field, enter the values.

    Note

    • Verify that the Secure Firewall Chassis Manager is reachable from the Firewall Management Center.

    • Ensure you select the correct chassis manager for the source device, as Firewall Management Center does not validate your choice.

  3. Click Verify certificate to verify the chassis manager's certificate.

  4. In the Username and Password fields, enter the credentials of the chassis manager.

Step 6

Click Next.

Step 7

In Configure interfaces:

By default, the source and target interfaces are mapped using the interface hardware name. You must map named interfaces, logical interfaces, and interfaces that are part of other interfaces. Mapping of all other interfaces is not mandatory. The wizard creates the logical interfaces according to the interface mapping that you provide.

You cannot map interfaces that are part of an HA failover configuration. These interfaces are disabled in the wizard.

Only data interfaces are available for interface mapping. Management, eventing, and diagnostic interfaces are not available for the interface mapping.​

Firepower 4100 and 9300 Series devices in appliance mode:

For these devices, the Firewall Management Center fetches interface attributes such as speed, duplex, and auto-negotiation from the chassis manager.

  1. Click one of the following options to configure these interface attributes on the target device:

    • Retain target device values: (Default) Retains the interface attributes configured on the target device.

    • Copy from source device: Copies the interface attributes from the source device.

      This option is enabled only when Firewall Management Center successfully connects to the chassis manager.​ We recommend that you use this option. The speed, duplex, and auto-negotiation values of physical interfaces are set to default values if they are incompatible in the target device.

    • Customize device values—Allows you to configure the values of the required interface attributes on the target device.

  2. To change the interface mapping from the default ones, choose an interface from the Mapped interface drop-down list.

  3. For EtherChannels, you can configure interface attributes and click Add member interface to add member interfaces.

    Interface attributes of an EtherChannel is configured based on the first member interface's interface attributes.​You can add up to 16 member interfaces.

Firepower 1100 and 2100 Series devices, and Firepower 4100 and 9300 Series devices in multi-instance mode:

For these devices, you must map the source device interfaces to target device interfaces.

For Firepower 4100 and 9300 Series devices in multi-instance mode, you can only perform the interface mapping and you cannot configure the interface attributes such as speed, duplex, auto-negotiation, and FEC mode.

If you want to change the interface mapping from the default ones, choose an interface from the Mapped interface drop-down list.

Click Reset to configure the default interface mappings. For example, the wizard maps Ethernet1/1 in the source device to Ethernet1/1 in the target device.

The interfaces can have the following tags:

  • Tagged: Physical interfaces on the chassis.

  • Untagged: Physical interfaces on the chassis that have sub-interfaces.

  • Dedicated: Interfaces that are assigned to specific instances and are not shared across multiple instances.

  • Shared: Interfaces that are shared by multiple instances.

  • Manager access: Data interface is the manager access interface.

Check the Ignore warning check box, if required.

Step 8

Click Next.

Step 9

Click Submit to start the migration.

Step 10

View the migration status on the Notifications > Tasks page.

A Device Model Migration report is generated after the migration is completed. You will see a link to this report in the Notifications > Tasks page.

What to do next

After a successful migration, you must complete these tasks:

In case of a migration failure, the target device is rolled back to the initial state.