#CLUS

Firepower Migration
Tool
Simplifying & Automating the Migration

Bhishm Narayan Sharma

Technical Marketing Engineer
BRKSEC-2101

#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC 2101

by the speaker until June 16, 2019.

#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Why Migration Tool
• What is Cisco’s NGFW Migration Tool
• What is New + Demo
• Best Practices and Troubleshooting
• What are our Plans
• Key Takeaway

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Related Breakout Sessions
BRKSEC-2112 - Firepower Internet Edge Best Practices
BRKSEC-2020 - Firepower NGFW in the DC and Enterprise - Deployment Tips and New Features
BRKSEC-2034 - Cloud Management of Firepower and ASA with Cisco Defense Orchestrator
BRKSEC-2056 - Threat Centric Network Security
BRKSEC-2062 - Orchestrating NGFWv and ASAv to Protect Your On-Prem Workloads
BRKSEC-2064 - NGFWv and ASAv in Public Cloud (AWS and Azure)
BRKSEC-2066 - Optimizing your Firepower/FTD Deployment
BRKSEC-2101 - Deep Dive on ASA to FTD Migration
BRKSEC-3020 - Troubleshooting ASA Firewalls
BRKSEC-3032 - NGFW Clustering Deep Dive
BRKSEC-3035 - Firepower Platform Deep Dive Integrations
BRKSEC-3300 - Advanced Firepower IPS Deployment
BRKSEC-3328 - Firepower Management Center Internals: Making FMC Do More
BRKSEC-3353 - Advanced Snort Rule Writing for Firepower
BRKSEC-3455 - Dissecting Firepower Threat Defense (FTD): architecture and troubleshooting
TECSEC-3004 - Troubleshooting Firepower Threat Defense Like a TAC Engineer
TECSEC-2002 - Best Practices for Cisco Firepower NGFW
#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
LABs and Integration sessions @CLUS2019
LABs
LABSEC-2345 - ASA to FTD Instance Migration Lab (WISP)
LTRSEC-3001 - Deep Dive Lab on ASA and FTD in ACI
LTRSEC-3052 - Deploy NGFWv and ASAv in Public Cloud (AWS & Azure)
LTRSEC-3460 - Firepower Data-Path troubleshooting (A practical hands-on lab)

Integration
CTHSEC-1105 - The Cisco Threat wall - A Window into Advanced Threat Protection
BRKSEC-2048 - Demystifying ACI Security
BRKSEC-2069 - Meraki Integrations with the Cisco Security Architecture
BRKSEC-2205 - Cisco Secure Data Center Architectures and Solutions
BRKSEC-2663 - DDoS Mitigation: Introducing Radware Deployment on Firepower Appliances
BRKSEC-2890 - Advanced Malware Protection (AMP) and Threat Grid Cloud - Integrations covering
Web, Email, Firepower & Endpoint Security
BRKSEC-3433 - Protecting your Office 365 environment: leverage the Firepower API, Cisco Cloud
Email Security and more.

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
“Fastrack your journey to a
Threat Centric Solution with a
Simple, Open and Automated
Firewall Migration Tool.”

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Why we need
Migration Tool?
Migration is Complex

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Firewall Migration Strategy
Days 0 – 5 Days 6 - 8 Days 9 - 11 Days 11- 13 Days 14-15

Discovery Strategy Execution Support TOKTEN

An assessment Conduct a Execute the Review any Provide
of your review to finalize steps outlined outstanding Knowledge dump
requirements the migration in the migration technical issues using best
and current design strategy and testing related to practices, what
configurations. and procedure, procedure plan application has been done.
including testing, and document migration.
rollback, failure results.
recovery, and
risk mitigation

*Migration For a 1k config lines

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
What is Cisco FMT
Cisco Firepower Migration Tool
• Pre- and Post- Migration reports
• Ability to edit the configuration being migrated
Reporting
• Live running logs, graceful error handling and resume from failure
• Object conflict detection and resolution

• ACL, NAT, Object, Interface, FQDN migration

• Multi Context to Multi Instance
Automation
• Selective migration and optimizations such as object re-use
• Auto-mapping of interfaces

• Supports migration of features supported in FMC REST API

• Runs on Windows or Mac through Chrome browser
Scale
• CDO integration* to leverage orchestration benefits
• Programmability* through tool APIs

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
 Firepower Migration Tool (ASA to FTD)
Firepower
FMC
Migration Tool
Upload API Calls Deploy

ASA Shared FMT Firepower

Configuration core engine* Threat Defense

Upload Template Apply

Creation
CDO FMT CDO
service *features shared in CDO depend on FTD-API and CDO support
#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Firepower Migration Tool Workflow
Launch EULA Login Extract ASA Select
Cisco Success
Network CCO / Local Information Target

• Live ASA • Connect to FMC

• Manual Upload • Unreferenced objects
• Selective Policy Migration

Review Map Review Pre-

Map Physical
Configuration Interface Migration
Interfaces
s objects Report

Push Cisco Review Post

Resolve
Configuration Success Migration
conflicts
to FMC Network Report

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Impact of Firepower Migration Tool
Day 0 – 2 Day 3 – 4 Day 5 Day 6 Day 9

Discovery
Strategy Execution Support TOKTEN
Facilitate in
isolating the stale Pre-Migration Remove the Pre- and Post- Migration Reports
ACL’s, Non- report gives an headache of migration reports can be used as a
Refrenced complete manually going help understand knowledge base
Objects, Port- understanding on and writing the on the state of for future
Groups etc. which what can be policies by migration and refrences and
can be excluded migrated with tool, levarging API’s to overcome any planning for future
from migration what will be partial push configuration issues which migration
and Identifying and what needs to and enable typically happen
config errors in be manually NextGen features post migration
the supported migrated if on rules at the
configuration needed. time of migration.

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
What’s New
Firepower Migration Tool v1.3
ASA to FTD migration tool featuring:
Intuitive, guided workflow with pre- and post-migration reports; New Release and more
Inbuild optimization capabilities; information now available on
FMC REST API based, runs on Windows & Mac through Chrome http://cs.co/ASA2FTD

Added Support : Continued Support for:

Multi Context to Multi Instance Network objects and groups, Service objects
IPv6 Support Access rules
Inline Grouping Support Auto NAT, Manual NAT, and object NAT (conditional)
Programmability Static routes
Cisco Success Network Physical interfaces, Sub interfaces, Port channels
Enable IPS, File Policy, Rule Bridge groups (transparent mode only)
Action Auto version check

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Cisco Success Network
• CCO login to the tool after customer allows sharing statistics with Cisco
Success Network
• Use default login credentials for the tool if CCO is not reachable / if EULA is
not agreed to / if the tool is offline
• Data is sent automatically after migration succeeds or fails
• Internet connectivity is only needed for Cisco Success Network. Not having
Internet access does not impact the migration

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Multi Context to Multi Instance

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Rest API for Programmability
We’re following your ask for REST APIs that will allow you to script your
specific use-cases.
For Windows: “Firepower_Migration_Tool-1.3.0.2771-[BUILD_TYPE]-20190403_stg.exe" -enable_api

For Mac: ./Firepower_Migration_Tool-1.3.0.2771-[BUILD_TYPE]-20190403_stg.command –enable_api

Open another command prompt, navigate to folder location where script file
is saved and run below command
python automate_script.py

- This will be showcased in detail in the demo

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Support and Serviceability
We’re making it easier for you to understand the
process and to address issues if needed
 Key-information right where you need it
 Link to detailed documentation
 Enhanced report storing in sub-folders
 Support Bundle to download logs, DB and
configuration

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Value of Telemetry & Troubleshooting
General Telemetry
Getting telemetry about occurring issues helps us
Detect  Prioritize  Resolve issues  Help you succeed

Support Bundle for Troubleshooting*

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Customer Migration
Scenario
Migration Tasks
Task’s to be performed prior and post Migration to an FTD appliance

Start Launch the

Review ASA Deploy FTD Select the
Migration
Configuration Appliance FTD Device
Tool
• Register to FMC
• Connect to Interfaces

Review Post Review &

Map IZ and Map
Migration Validate
SZ Interfaces
Report Configuration

Push Deploy Review Post

Test
Configuration Policies to Migration
Connectivity
to FMC FTD Report

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Migration Tasks – During Migration
Task’s to be performed during Migrating to an FTD appliance

Shutdown Review and

Connect to Clear ARP Perform
ASA Update
ASA on Switch Test Plan
Interfaces Routing

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
FMT- Desktop Version
FMT- CDO Version
Programmability Demo
Telemetry Demo
Best Practices
&
Troubleshooting
FMT Best Practices
Below is the high level list of steps to be considered during migration.

• Download and Run the latest migration tool.

• Review the FMT pre-migration checklist.
• Create Separate user account on FMC for FMT tool usage with admin
access.
• Map the interfaces and follow the on screen steps to review and validate
config.
• Review the post migration report.
• Deploy the policies on FMC.
• Run the connectivity test and monitor logs on FMC.

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Migration Tool Repository
File Location
(User)/Downloads/FMT/
(User)/Downloads/FMT/
(User)/Downloads/FMT/resources/
migration_report_(long number)/
(User)/Downloads/FMT/resources/
migration_report_(long number)/
(User)/Downloads/FMT/resources/
migration_report_(long number)/
(User)/Downloads/FMT/log/
(User)/Downloads/FMT/
File Purpose
Firepower_Migration_Tool_build(n
launch the tool
umber)....exe for tool
database tool creates; data store
ftd_migration.sqllite
for tool
asa configuration asa configuration
pre-migration report pre-migration report
post-migration report
post-migration report
dump of what appears in the
log_(datetime)
console terminal window
ignored lines from the ASA config
unparsed.txt
during parsing
#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Error Messages and Troubleshooting
Example Troubleshooting logs
• [ERROR | route_model.py:86] > Error parsing route [eth3-02.512,
202.73.195.206/32]: list index out of range
• [ERROR | object_group_model.py:103] > [n-10.165.96.0_19] object
not found when creating object-group network
• [ERROR | actions] > “Error while validating: ‘NoneType’ object has no
attribute ’name’ "
• HTTPS Connection Pool(host='10.127.215.204', port=443): Max retries
exceeded with url: /api/fmc_config
• Object with the same name already exists

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
What are our Plans
NGFW Migration as Service

Migration Migration Knowledge Design

Verification Support Transfer Reviews

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Key Takeaways
 Benefit of Migration Tool
Derive faster value realization from Complementary to Partner driven
Cisco’s NGFW services
Cisco Security
Services

Our Security Services portfolio Provide you with design best practices
Migration configuration validated by based on Cisco’s history of experience
seasoned & skilled Security consultants of people, tool, processes and
technology helps you to do with variety of vertical industries
more, and many of our
services are widely recognized
by industry leaders and analysts
as amongst the best capabilities
Provide support during migration to in the market Enhance your knowledge on Cisco’s
help mitigate risks during migration NGFW product features

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Continue your education

Learn more at Download & Run the

cs.co/ASA2FTD Tool on your Machine

Meet the engineer

Reach out to TAC
1:1 meetings

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.

#CLUS BRKSEC 2101 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Thank you

#CLUS
#CLUS