Supported Features

Handling Shared Policies and Objects

When the migration process begins, the shared policies and associated objects that are associated with the threat defense devices are imported first and then followed by the device configuration.

The following shared policies are imported to CDO after changing the manager on threat defense devices:

  • Access control

  • IPS

  • SSL

  • Prefilter

  • NAT

  • QoS

  • Identity

  • Platform settings

  • Flex config

  • Network analysis

  • DNS

  • Malware & file

  • Health

  • Remote Access VPN

  • Site-to-Site VPN

If a policy or object in CDO has the same name as the policy or object that is imported from the Secure Firewall Management Center, CDO takes the following actions after changing the management successfully.

Policies, Objects

Condition

Action

Access control, SSL, IPS, Prefilter, NAT, QoS, Identity, Platform settings, Network analysis, DNS, Malware & File policies.

Name of the cloud-delivered Firewall Management Centerpolicy matches the management center policy.

The cloud-delivered Firewall Management Center policy is used instead of the imported policy from the management center.

RA VPN Default group policy DfltGrpPolicy

The default group policyDfltGrpPolicy from the management center is ignored.

The existing cloud-delivered Firewall Management Center default group policy DfltGrpPolicy is used instead.

Network, Port objects

Name and content of network and port objects in the cloud-delivered Firewall Management Center match the ones in the management center.

The existing cloud-delivered Firewall Management Center network and port objects with the same name and content are used instead of imported objects from the management center.

If the object has the same name but different content, an object override is created. See Object Overrides.

All other objects

The existing cloud-delivered Firewall Management Center object is used instead of the imported object from the management center.

Any Syslog alert object that is associated with the access control policy is imported into CDO.

Migration Support for Threat Defense in a High Availability Pair

You can migrate a device in a high availability pair. The device management of both active and standby devices is changed and imported into CDO.

Important

We strongly recommend committing the manager changes before performing any advanced operations, such as creating HA configuration or breaking HA on the devices that are being migrated.

Performing such operations during the evaluation period is not supported and may result in unintended behavior.

Migration Support for Management Center in a High Availability Pair

You can migrate the threat defense devices from a high availability configured management center to the cloud.

The management center can be onboarded using SecureX or credentials with the SDC method. Always onboard the active management center and not the standby.

Note

If you have already onboarded a standalone management center and later configured it as a standby, delete the standby management center and onboard the active one.

Points to Remember:

  • SecureX Onboarding Method

    • High availability break is not supported during the 14 days evaluation period. You can break high availability after committing the changes manually or automatically after the evaluation period.

    • High availability switchover is supported during the 14 days evaluation period.

  • Credentials Onboarding Method Using SDC

    • High availability break or high availability switchover is not supported during the 14 days evaluation period. You can perform these operations after committing the changes manually or automatically after the evaluation period.

    • After a switchover, onboard the new active unit, which was previously in standby mode, and then start a migration job on the devices.