Migrate Threat Defense to Cloud-delivered Firewall Management Center

Procedure

Step 1

In the navigation bar on the left, choose Tools & Services > Migrations > Migrate FTD to cdFMC.

Step 2

Click icon and click On-Prem FMC-managed FTD to cdFMC.

Note
You can initiate only one migration job at one time.

Step 3

In the Select OnPrem FMC step, perform the following:

  1. You can click the Onboard an FMC link to onboard the on-premise management center if you have not done already. See Onboard an FMC.

  2. Select the management center from the available list and click Next.

In the Select Devices step, you will see the threat defense devices that the selected management center manages. If a high-availability pair is set up on the on-premise management center, the high availability node will be shown instead of the active and standby devices.

The Last Synced time field indicates the time that is elapsed since the device configuration synchronized into the management center. You can click Sync from OnPrem FMC Now to fetch the latest device changes.

Step 4

In the Select Devices step, perform the following:

  1. Select the devices that you want to migrate. In case of a high availability pair, select the high availability node.

    Note

    • The devices running on unsupported versions are not available for selection.

    • The devices that are registered for analytics only with the management center or have pending changes to be deployed are not eligible for migration.

    • If the selected device is associated with a site-to-site VPN topology, CDO auto-selects its peer devices belonging to the same or different topologies, as all devices in the site-to-site VPN topology must be migrated together for a successful migration. The wizard does not list the extranet devices, if any. However, CDO migrates extranet devices.

      The Affected Topology column indicates the number of site-to-site VPN topologies in which the selected device participates. If you click the link, you can view the topologies and devices that will be migrated along with the selected device. This field is not applicable to devices that are not part of the site-to-site VPN topology.

    • A high availability pair is presented as a single node. You must select this node to include active and standby devices in the migration.

  2. In the Multi-Device Action list, you can choose a common action to apply on all devices.

  3. In the Commit Action column, you can choose one of the following actions for the selected device:

    • Retain on OnPrem FMC for Analytics: After the migration process is completed, the analytics management for selected threat defense devices is retained on the management center.

    • Delete FTD from OnPrem FMC: After the migration process is completed, the selected devices are removed from the management center and are available for CDO to handle the analytics. You must configure the devices to send events to CDO for managing analytics. When the devices are deleted from the management center, they cannot be revoked.

      Note

      The device is not deleted from the management center unless the changes are committed, either automatic or manual.

    Note

    All devices in a site-to-site topology must be configured with the same commit action. They can be either set to:

    • Revert Manager to OnPrem FMC, or

    • Retain on On-Prem Firewall Management Center for Analytics or Delete threat defense from On-Prem Firewall Management Center

Note

The actions that are specified here are committed automatically after the 14 days evaluation period or after the changes are committed manually.

Step 5

Click Migrate FTD to cdFMC.

Step 6

Click View Migration to Cloud Progress to see the progress of your job.

What to do next

You can view the overall and individual status of migration jobs and generate a report when a job is completed successfully. See View a Threat Defense Migration Job.