CISCO Defense Orchestrator User Guide

: June 1, 2024
: Cisco

Table of Contents

Defense Orchestrator
Specifications
Product Usage Instructions
Overview
Step 1: Accessing the Tool
Step 2: Initiating Migration
Step 3: Configuration Mapping
Step 4: Validation and Testing
Step 5: Finalizing Migration
- FAQ
Q: Can I use the Firewall Migration Tool for other firewall
Q: How long does the migration process typically take?
Q: Is there a risk of data loss during migration?
- Read User Manual Online (PDF format)
- Download This Manual (PDF format)

Defense Orchestrator

“`html

Specifications

Product: Firewall Migration Tool in Cisco Defense
Orchestrator
First Published: 2023-02-21
Last Modified: 2024-01-25
Manufacturer: Cisco Systems, Inc.
Website: http://www.cisco.com
Headquarters: 170 West Tasman Drive San Jose, CA 95134-1706
USA
Contact Tel: 408 526-4000, Fax: 408 527-0883

Product Usage Instructions

Overview

The Firewall Migration Tool in Cisco Defense Orchestrator is
designed to assist users in migrating existing firewall
configurations to a Secure Firewall Threat Defense device managed
by the cloud-delivered Firewall Management Center on their CDO
tenant.

Step 1: Accessing the Tool

Log in to your Cisco Defense Orchestrator (CDO) account. Locate
and access the cloud version of the Cisco Secure Firewall migration
tool within the CDO interface.

Step 2: Initiating Migration

Follow the on-screen instructions within the migration tool to
initiate the migration process. You may need to provide details
about your existing firewall configurations.

Step 3: Configuration Mapping

Map your current firewall settings to the corresponding
configurations on the Secure Firewall Threat Defense device. Ensure
that all necessary rules and policies are correctly mapped for a
seamless transition.

Step 4: Validation and Testing

Validate the migrated configurations and perform testing to
ensure that the firewall rules are functioning as expected on the
new device. Make any necessary adjustments if discrepancies are
found.

Step 5: Finalizing Migration

Once you are satisfied with the migrated configurations and
testing results, finalize the migration process. Your existing
firewall configurations should now be successfully transferred to
the Secure Firewall Threat Defense device.

FAQ

Q: Can I use the Firewall Migration Tool for other firewall

brands?

A: The Firewall Migration Tool in Cisco Defense Orchestrator is
specifically designed for migrating configurations to Secure
Firewall Threat Defense devices managed by CDO. It may not be
compatible with firewalls from other brands.

Q: How long does the migration process typically take?

A: The duration of the migration process can vary depending on
the complexity of your existing firewall configurations. It is
recommended to allocate sufficient time for configuration mapping,
validation, and testing.

Q: Is there a risk of data loss during migration?

A: While every effort is made to ensure a smooth migration
process, it is advisable to back up your firewall configurations
before initiating migration to mitigate any potential risks of data
loss.

“`

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator
First Published: 2023-02-21 Last Modified: 2024-01-25
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE- NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 2023 Cisco Systems, Inc. All rights reserved.

CONTENTS

CHAPTER 1

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 1 Is This Guide for You? 1 Getting Started with the Firewall Migration Tool in Cisco Defense Orchestrator 2 Supported Configurations 2 Licenses 4 Initialize a New Migration Instance 5 Delete a Migration Instance 5 Using the Demo Mode in the Secure Firewall Migration Tool 5 Migrate Secure Firewall ASA to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator 6 Migrate an FDM-Managed Device to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator 9 Migrating Check Point Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator 12 Migrating Fortinet Firewall with the Firewall Migration Tool in Cisco Defense Orchestrator 15 Migrating Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator 17 Related Documentation 19

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator iii

Contents
Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator iv

1 C H A P T E R
Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator
This document assists you in using the cloud version of the Cisco Secure Firewall migration tool hosted on Cisco Defense Orchestrator (CDO). CDO hosts a cloud version of the Cisco Secure Firewall migration tool that you can use to migrate your existing firewall configurations to a Secure Firewall Threat Defense device managed by the cloud-delivered Firewall Management Center that is deployed on your CDO tenant.
· Is This Guide for You?, on page 1 · Getting Started with the Firewall Migration Tool in Cisco Defense Orchestrator, on page 2 · Migrate Secure Firewall ASA to Secure Firewall Threat Defense with the Firewall Migration Tool in
Cisco Defense Orchestrator, on page 6 · Migrate an FDM-Managed Device to Secure Firewall Threat Defense with the Firewall Migration Tool
in Cisco Defense Orchestrator, on page 9 · Migrating Check Point Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in
Cisco Defense Orchestrator, on page 12 · Migrating Fortinet Firewall with the Firewall Migration Tool in Cisco Defense Orchestrator, on page
15 · Migrating Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Firewall Migration
Tool in Cisco Defense Orchestrator, on page 17 · Related Documentation, on page 19
Is This Guide for You?
This guide is for you if you use CDO to manage your Secure Firewall ASA devices and FDM-managed threat defense devices or you use third-party firewalls such as Palo Alto Networks, Check Point, and Fortinet firewalls and you want to move into the Cisco Secure Firewall Threat Defense. You can migrate all your existing firewall configurations to a threat defense device managed by your cloud-delivered Firewall Management Center using the Secure Firewall migration tool in CDO. This document describes what you need to do to migrate your configurations.
Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 1

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Getting Started with the Firewall Migration Tool in Cisco Defense Orchestrator
Getting Started with the Firewall Migration Tool in Cisco Defense Orchestrator
The migration tool in CDO extracts the device configurations from the source device that you select or from a configuration file that you upload and migrates them to the cloud-delivered Firewall Management Center provisioned on your CDO tenant, after you validate the configurations. The migration tool supports most configurations; unsupported configurations must be manually configured in the cloud-delivered Firewall Management Center. See Supported Configurations, on page 2. When you initialize a new migration in Tools & Services > Firewall Migration Tool and Launch it, a cloud instance of the migration tool opens in a new browser tab and enables you to perform your migration tasks using a guided workflow. The migration tool in CDO eliminates the need for you to download and maintain the desktop version of the Secure Firewall migration tool.
You can migrate the following Cisco and third-party firewall configurations to Secure Firewall Threat Defense devices using the migration tool hosted on CDO:
· Cisco Secure Firewall ASA · Secure Firewall Threat Defense managed by Firewall Device Manager · Check Point firewall · Palo Alto Networks firewall · Fortinet firewall
Important You need an admin or a super admin user role in CDO to be able to use the Firewall migration tool.
Supported Configurations
The migration tool supports the following configurations:
Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 2

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator

Supported Configurations

· Network objects and groups · Service objects, except those configured for a source and destination · Referenced ACL and NAT rules · Service object groups
Note Nested service object group contents are broken down to individual objects before being migrated, because the cloud-delivered management center does not support nesting.
· IPv4 and IPv6 FQDN objects and groups · IPv6 conversion (interface, static routes, objects, ACL, and NAT) · Access rules applied to ingress interfaces · Global ACLs · Auto NAT, manual NAT, and object NAT · Static routes, equal-cost multipath (ECMP) routes, and policy-based routing (PBR) · Physical interfaces · Sub-interfaces · Port channels · Virtual tunnel interface · Bridge groups in transparent mode · IP SLA objects – the migration tool creates them, maps them with static routes, and migrates them · Time-based objects · Site-to-site VPN
· Site-to-Site VPN–When the Firewall migration tool detects crypto-map configuration in the source ASA, FDM-managed device, Palo Alto Networks firewall, or Fortinet firewall, the Secure Firewall migration tool migrates it as a point-to-point topology to the management center VPN
· Crypto-map (static/dynamic)-based VPN from ASA, FDM-managed devices, Palo Alto Networks firewall, and Fortinet firewall
· Route-based (VTI) ASA and FDM VPN · Certificate-based VPN migration from ASA, FDM-managed device, Palo Alto Networks firewall,
Fortinet firewall
Important If you have site-to-site VPN configurations in your source ASA, FDM- managed device, Palo Alto Networks firewall, or Forinet firewall, ensure that their device trustpoint or certificates are configured manually in the cloud- delivered FMC.

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 3

Licenses

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator

· Remote-access VPN · SSL and IKEv2 protocols · Authentication methods–AAA only, client certificate only, SAML, AAA, and client certificate · AAA–Radius, local, LDAP, and AD · Connection profiles, group policy, dynamic access policy, LDAP attribute map, and certificate map · Standard and extended ACL · Custom attributes and VPN load balancing
Important If you have configured remote-access VPN in your source firewall, ensure the following tasks are performed: · Configure the ASA,FDM-managed device, Palo Alto Networks, and Fortinet firewall trustpoints manually on the management center as PKI objects · Retrieve AnyConnect packages, Hostscan files (dap.xml, data.xml, hostscan package), external browser package, and AnyConnect profiles from the source ASA and FDM-managed device · Upload all AnyConnect packages and profiles to the management center
· Dynamic route objects, BGP, and EIGRP · Policy list · Prefix list · Community list · Autonomous system (AS) path · Route map

Note The migration tool analyzes all objects and object groups based on both their name and configuration, and reuses objects that have the same name and configuration; however, XML profiles in remote access VPN configurations are validated only using their name.
Refer to Cisco Secure Firewall Migration Tool Compatibility Guide for more information.

Licenses

The Secure Firewall migration tool does not require any additional license to be accessed from CDO.
However, you need to have a CDO base subscription and licenses for the threat defense features you want to migrate.

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 4

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator

Initialize a New Migration Instance

Step 1 Step 2 Step 3
Step 4 Step 5 Step 6

Log in to your CDO tenant. Choose Tools & Services > Firewall Migration Tool.

Click the blue plus button to initialize a new migration instance.

Note

The Firewall migration tool enables you to create up to 10 migrations and launch all of them

concurrently–each migration instance opens up in a new browser tab. However, if there are several users

provisioned on your tenant, note that you can launch only migrations that you created.

If you want to initialize a new migration instance when you already have 10 migrations, delete one of the existing migration instances.

CDO generates a name for your migration automatically; you can use the auto- generated name or change it to suit your needs.
Click OK and wait until you see the status change from Initializing to Ready to Migrate. CDO also notifies you with a new announcement on the Notifications pane when your migration is ready.
On the new migration, click Launch.

The migration tool opens in a new browser tab and does not require any authentication.

Note

Migrations in CDO are valid for seven days from the date of being created, after which they are automatically

deprovisioned. This ensures that CDO resources are freed up from time to time. You can check the dates in

the Created Date and Deprovisioning Date columns.

CDO displays the status of all the migrations in the Status column; you can filter out the migrations based on the their statuses. You can also select a migration to see migration details, such as date and time of creation, date and time of start, source and destination device names, and created by on the right pane. Note that when several users are provisioned on your CDO tenant, you can only launch migrations you created.

Delete a Migration Instance
Follow the steps below if you intend to deprovision your migration manually before CDO automatically deprovisions it. For example, you can delete a migration after your migration tasks are finished.

Step 1 Step 2 Step 3

Choose Tools & Services > Firewall Migration Tool. On the migration you want to delete, click Delete under the Actions pane. Confirm your action by clicking Delete.

Using the Demo Mode in the Secure Firewall Migration Tool
When you launch the Secure Firewall Migration tool and are on the Select Source Configuration page, you can choose to start performing a migration using Start Migration or enter the Demo Mode.

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 5

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrate Secure Firewall ASA to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
The demo mode provides an opportunity to perform a demo migration using dummy devices and visualize how an actual migration flow would look like. The migration tool triggers the demo mode based on the selection you make in the Source Firewall Vendor drop-down; you can also upload a configuration file or connect to a live device and continue with the migration. You can proceed performing the demo migration by selecting demo source and target devices such as demo FMC and demo FTD devices.
Caution Choosing Demo Mode erases existing migration workflows, if any. If you use the demo mode while you have an active migration in Resume Migration, your active migration is lost and needs to be restarted from first, after you use the demo mode.
You can also download and verify the pre-migration report, map interfaces, map security zones, map interface groups, and perform all other actions like you would in an actual migration workflow. However, you can only perform a demo migration up to validation of the configurations. You cannot push the configurations to the demo target devices you selected because this is only a demo mode. You can verify the validation status and the summary and click Exit Demo Mode to go the Select Source Configuration page again to start your actual migration.
Note The demo mode lets you leverage the whole feature set of the Secure Firewall Migration Tool, except pushing of configurations, and do a trial run of the end-to-end migration procedure before performing your actual migration.
Migrate Secure Firewall ASA to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
The Secure Firewall migration tool in CDO lets you to migrate configurations from live ASA devices that are managed by CDO or using a configuration file extracted from an ASA device. To read more about the Secure Firewall ASA configurations supported for migration, see ASA Configuration Support in the Migrating Cisco Secure Firewall ASA to Cisco Secure Firewall Threat Defense with the Migration Tool book. Select Source Configuration After launching your migration instance from CDO, choose Cisco ASA in Select Source Configuration and click Start Migration. You can either manually upload an ASA configuration file or choose any one of the CDO-managed ASA devices listed on the Connect to ASA pane. If you are trying to select a CDO-managed device, note that devices having Configuration Status as Synced are only listed by the migration tool; if you do not see the device you want to migrate in the list, check if the device configuration changes are up-to-date and synced with CDO. Note that one ASA device can be selected as the source device by more than one user at the same time and the confuguration extraction takes place seamlessly. If you have one or more security contexts configured on your ASA device, the migration tool allows you to choose which context you want to migrate; you can also merge all your contexts to a single instance and then migrate them. Refer Select the ASA Primary Security Context for more information. The migration tool parses the device configuration and displays a summary containing the parsed configurations. Click Next. Select Target
Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 6

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrate Secure Firewall ASA to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
In the Select Target page, the cloud-delivered Firewall Management Center provisioned on your CDO tenant is selected by default, and the threat defense devices managed by that management center are listed. You can choose the threat defense device you wish to migrate your ASA configuration to or choose to Proceed without FTD. Note that the threat defense devices listed are displayed either as In Use or Available based on whether the device is being used in another migration instance. However, you can perform an override by clicking Change Device Status, selecting the device from the In Use list, and clicking Continue, which will make the device available for being selected as the target.
Caution Changing the device status from In Use to Available impacts the ongoing migration instance that is using the device already. We recommend that you exercise caution when doing this.
Choosing Proceed without FTD pushes only NAT objects, ACLs, and port objects to the cloud-delivered Firewall Management Center. For more information about the commonly used ASA features and their equivalent threat defense features, see Cisco Secure Firewall ASA to Threat Defense Feature Mapping guide. The flowchart that follows illustrates the step-by-step procedure for migrating an ASA to threat defense using the Firewall migration tool in CDO.
Figure 1: End-to-End Procedure for ASA to FTD Migration with Firewall Migration Tool in CDO

To perform the procedure with more detailed steps, continue to Obtain the ASA Configuration File in the Migrating Cisco Secure Firewall ASA to Threat Defense with the Migration Tool guide.

Workspace

Steps

CDO

Log in to your CDO tenant, navigate Tools & Services > Firewall Migration

Tool, and click the blue plus instance.

button to start provisioning a new migration

ASA CLI

(Optional) Obtain the ASA configuration file: To obtain the ASA config file from ASA CLI, see Obtain the ASA Configuration File. If you intend to select a CDO-managed ASA device in the Select Source Configuration, skip to Step 3.

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 7

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrate Secure Firewall ASA to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator

Workspace

Steps

ASA CLI

(Optional) Export public key infrastructure (PKI) certificates from ASA CLI: This step is required only if you are planning to migrate site-to site VPN and RAVPN configurations from ASA to threat defense. To export the PKI certificates from ASA CLI, see Export PKI Certificate from ASA and Import into Management Center. If you do not have remote-access VPN configurations on your device or you are not planning to migrate site-to-site VPN and remote-access VPN, skip to Step 7.

ASA CLI

(Optional) Export AnyConnect packages and profiles from ASA CLI: This step is required only if you are planning to migrate remote-access VPN features from ASA to threat defense. To export AnyConnect packages and profiles from ASA CLI, see Retrieve AnyConnect Packages and Profiles.

Cloud-delivered (Optional) Import the PKI certificates and AnyConnect packages to the

Firewall

management center: To import the PKI certificates to management center,

Management Center see Step 2 in Export PKI Certificate from ASA and Import into Management

Center and Retrieve AnyConnect Packages and Profiles.

CDO

Ensure that the status of the migration instance you created is Ready to Migrate and click Launch; the Secure Firewall Migration Tool opens in a new browser tab.

Secure Firewall Migration Tool

(Optional) Upload the ASA config file obtained from ASA CLI, see Upload the ASA Configuration File. If you are planning to migrate configuration from an ASA device managed by CDO, skip to Step 8.

Secure Firewall Migration Tool

From the list of ASA devices shown, that are managed by your CDO tenant, select the device whose configuration you want to migrate. If you have configured more than one security context on your ASA device, select the context you wish to migrate or choose to merge all the contexts to a singe instance in the Primary Context Selectiondrop-down. See Select the ASA Primary Security Context for more information.

Secure Firewall Migration Tool

On the Select Target page, the cloud-delivered Firewall Management Center provisioned on your CDO tenant is selected by default.

Secure Firewall Migration Tool

Select a target device from the list of threat defense devices managed by your cloud-delivered Firewall Management Center or choose Proceed without FTD and proceed.

Secure Firewall Migration Tool

Download the pre-migration report and review it for a detailed summary of the parsed configuration. For detailed steps, see Review the Pre-Migration Report.

Secure Firewall Migration Tool

Map FTD Interface with the ASA configuration.
Because the names of physical and port channel interfaces on your ASA and threat defense devices are not always the same, you can select to which interface in the target threat defense device you want an ASA interface to get mapped. For more information, see Map ASA Configurations with Secure Firewall Device Manager Threat Defense Interfaces.

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 8

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrate an FDM-Managed Device to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator

Workspace

Steps

Secure Firewall Migration Tool

Map ASA interfaces to existing threat defense security zones and interface groups. See Map ASA Interfaces to Security Zones and Interface Groups for detailed steps.

Secure Firewall Migration Tool

Optimize, Review and Validate Configuration with caution and ensure ACLs, objects, NAT, interfaces, routes, site-to-site VPN, and remote-access VPN rules are configured as intended for the destination threat defense device. See Optimize, Review and Validate the Configuration.

Secure Firewall Migration Tool

Once your configuration validation is a success, Push Configuration to the cloud-delivered Firewall Management Center. For more information, see Push the Migrated Configuration to Management Center.

Local Machine

Download the post-migration report and review it. To know more on what information the post-migration report contains, see Review the Post-Migration Report and Complete the Migration.

Cloud-delivered Deploy the newly migrated configuration to the threat defense device. Firewall Management Center

Migrate an FDM-Managed Device to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
You can migrate FDM-managed device configurations using configuration files or by simply selecting the FDM-managed devices that are onboarded to CDO. To read more about the FDM-managed device configurations supported for migration, see FDM-Managed Device Configuration Support in Migrating an FDM-Managed Device to Secure Firewall Threat Defense with the Migration Tool book.
Select Source Configuration
After launching your migration instance from CDO, choose Cisco Secure Firewall Device Manager in Select Source Configuration and choose from of the following options:
· Migrate Firepower Device Manager (Shared Configurations Only)
· Migrate Firepower Device Manager (Includes Device & Shared Configurations)
· Migrate Firepower Device Manager (Includes Device & Shared Configurations) to FTD Device (New Hardware)
On clicking Continue, the migration tool enables you to either manually upload an FDM-managed device configuration file or choose any one of the FDM-managed devices onboarded to CDO, which are listed on the Connect to FDM pane and click Next.
Select Target

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 9

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrate an FDM-Managed Device to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
In the Select Target page, the cloud-delivered Firewall Management Center provisioned on your CDO tenant is selected by default, and the threat defense devices managed by that management center are listed. You can choose the threat defense device you wish to migrate the configuration to, and proceed with the migration. Note that the threat defense devices listed are displayed either as In Use or Available based on whether the device is being used in another migration instance. However, you can perform an override by clicking Change Device Status, selecting the device from the In Use list, and clicking Continue, which will make the device available for being selected as the target.
Caution Changing the device status from In Use to Available impacts the ongoing migration instance that is using the device already. We recommend that you exercise caution when doing this.
The flowchart that follows illustrates the step-by-step procedure for migrating an FDM-managed device using the Firewall migration tool in CDO.
Figure 2: End-to-End Procedure for FDM-Managed Devices to FTD Migration with the Firewall Migration Tool in CDO

To perform the procedure with more detailed steps, continue to Obtain the FDM- managed Device Configuration File in the Migrating an FDM-managed Device to Secure Firewall Threat Defense with the Migration Tool guide.

Workspace

Steps

CDO

Log in to your CDO tenant, navigate Tools & Services > Firewall Migration

Tool, and click the blue plus instance.

button to start provisioning a new migration

Device Manager CLI (Optional) Obtain the FDM-managed device configuration file: To obtain the FDM-managed device config file from device manager CLI, see Obtain the FDM-Managed Device Configuration File. If you intend to select a CDO-managed FDM device in the Select Source Configuration, skip to Step 3.

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 10

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrate an FDM-Managed Device to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator

Workspace

Steps

Device Manager CLI (Optional) Export PKI certificates and AnyConnect packages and profiles: This step is required only if you are planning to migrate site- to site VPN and remote-access VPN features from an FDM-managed device to threat defense. To export the PKI certificates from device manager CLI, see Step 1 in Export PKI Certificate from and Import into Firewall Management Center. To export AnyConnect packages and profiles from device manager CLI, see Step 1 in Retrieve AnyConnect Packages and Profiles. If you are not planning to migrate site-to-site VPN and remote-access VPN configurations, skip to Step 7.

Cloud-delivered (Optional) Import the PKI certificates and AnyConnect packages to

Firewall

management center: To import the PKI certificates to management center,

Management Center see Step 2 in Export PKI Certificate from and Import into Firewall

Management Center and Retrieve AnyConnect Packages and Profiles.

CDO

Ensure that the status of the migration instance you created is Ready and click Launch; the Secure Firewall Migration Tool opens in a new browser tab.

Secure Firewall Migration Tool

To select the source configuration firewall and migration option, see Select the Source Configuration Firewall and Migration.

Secure Firewall Migration Tool

(Optional) Upload the FDM-managed device config file obtained from device manager CLI, see Upload the FDM-Managed Device Configuration File. If you are migrating configuration from an FDM-managed device onboarded to CDO, skip to Step 8.

Secure Firewall Migration Tool

From the list of FDM-managed devices shown, that are managed by your CDO tenant, select the device whose configuration you want to migrate.

Secure Firewall Migration Tool

On the Select Target page, the cloud-delivered Firewall Management Center provisioned on your CDO tenant is selected by default.

Secure Firewall Migration Tool

Select a target device from the list of threat defense devices managed by your cloud-delivered Firewall Management Center or choose Proceed without FTD and proceed.

Secure Firewall Migration Tool

Download the pre-migration report and review it for a detailed summary of the parsed configuration. For detailed steps, see Review the Pre-Migration Report.

Secure Firewall Migration Tool

Map FTD Interface with the FDM-managed device configuration.
Because the names of physical and port channel interfaces on your FDM and threat defense devices are not always the same, you can select to which interface in the target threat defense device you want an FDM-managed device interface to get mapped. For more information, see Map FDM-managed Device Configurations with Secure Firewall Device Manager Threat Defense Interfaces.

Secure Firewall Migration Tool

Map FDM-managed device interfaces to existing threat defense security zones and interface groups. See Map FDM-managed Interfaces to Security Zones and Interface Groups for detailed steps.

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 11

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrating Check Point Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator

Workspace

Steps

Secure Firewall Migration Tool

Optimize, Review and Validate Configuration with caution and ensure ACLs, objects, NAT, interfaces, routes, site-to-site VPN, and remote-access VPN rules are configured as intended for the destination threat defense device. See Optimize, Review and Validate the Configuration.

Secure Firewall Migration Tool

Once your configuration validation is a success, Push Configuration to the cloud-delivered Firewall Management Center. For more information, see Push the Migrated Configuration to Management Center.

Local Machine

Download the post-migration report and review it. To know more on what information the post-migration report contains, see Review the Post-Migration Report and Complete the Migration.

Cloud-delivered Deploy the newly migrated configuration to the threat defense device. Firewall Management Center

Resume Migration
If you have started a migration from CDO and wish to continue later, you can simply close the Firewall migration tool tab. When you want to continue with the migration, you can log in to CDO and in Firewall Migration Tool click Launch on the migration you want to continue. The migration tool detects that you were migrating and lets you continue from where you left off. However, for the migration tool to detect that you have an ongoing migration, you must at least perform up to parsing of the source configuration. If you leave off a migration before performing this step, you can still launch the same migration from CDO but you must start the migration from the first.

Migrating Check Point Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
You can migrate your Check Point Firewall configurations to threat defense either by manually extracting the configuration from your firewall or using the configuration extractor that comes inbuilt with the migration tool. To know the Check Point configurations that are supported, see Check Point Configuration Support.
Select Source Configuration
In the Source Firewall Vendor drop-down, choose Check Point (r80-r81) or Check Point (r75-r77) based on the firewall version you want to migrate. You can manually upload an extracted firewall configuration using Manual Configuration Upload or use the Live Connect option to connect to the Check Point Security Gateway to export the configuration file.

Note You can use Live Connect only when you have selected Check Point (r80-81) and Configuration Extractor only when you have selected Check Point (r75-r77).

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 12

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrating Check Point Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
Select Target In the Select Target page, the cloud-delivered Firewall Management Center provisioned on your CDO tenant is selected by default, and the threat defense devices managed by that management center are listed. You can choose the threat defense device you wish to migrate the configuration to, and proceed with the migration. Note that the threat defense devices listed are displayed either as In Use or Available based on whether the device is being used in another migration instance. However, you can perform an override by clicking Change Device Status, selecting the device from the In Use list, and clicking Continue, which will make the device available for being selected as the target. Choosing Proceed without FTD pushes only NAT objects, ACLs, and port objects to the cloud-delivered Firewall Management Center. For more information about the commonly used ASA features and their equivalent threat defense features, see Cisco Secure Firewall ASA to Threat Defense Feature Mapping guide.
Caution Changing the device status from In Use to Available impacts the ongoing migration instance that is using the device already. We recommend that you exercise caution when doing this.

To perform the migration with more detailed steps, continue to Export the Check Point Configuration Files in Migrating Check Point Firewall to Secure Firewall Threat Defense with the Migration Tool book.

Workspace

Steps

Cisco Defense Orchestrator

Log in to your CDO tenant, navigate Tools & Services > Firewall Migration

Tool, and click the blue plus instance.

button to start provisioning a new migration

Cisco Defense Orchestrator

Launch your migration instance from CDO and choose Check Point (r75r77) or Check Point (r80r81) in the Source Firewall Vendor drop-down, based on your requirement.

Check Point Web Visualization Tool

(Optional) Export the Check Point configuration file for r77: To export the Check Point configuration files for r77, see Export the Check Point Configuration Files for r77. If you intend to export configuration files for r80 using Secure Firewall migration tool live connect feature, skip to step 6.

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 13

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrating Check Point Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator

Workspace

Steps

Secure Firewall Migration Tool

(Optional) Connect to live Check Point (r80) and export the config file: To export the Check Point configuration files for r80 using live connect feature, see Export the Check Point Configuration Files for r80.

Local Machine

(Optional) Zip the exported files: select all the exported configuration files for r77 and compress them to a zip file. For detailed steps, see Zip the Exported Files.

Local Machine

Pre-stage the Check Point (r80) devices for config extraction: You must configure the credentials on Check Point (r80) devices before using Live Connect. For pre-staging credentials on Check Point (r80) devices, see Pre- Stage the Check Point Devices for Configuration Extraction Using Live Connect. This step is required only if you are planning to migrate configuration files for r80 devices.

Secure Firewall Migration Tool

(Optional) Upload the Check Point config file.

Secure Firewall Migration Tool

Specify the destination parameters for the Secure Firewall Migration Tool.

Secure Firewall Migration Tool

Navigate to where you downloaded the pre-migration report and review the report.

Secure Firewall Migration Tool

The Secure Firewall migration tool allows you to map the Check Point configuration with threat defense interfaces. For detailed steps, see Map Check Point Configurations with Secure Firewall Device Manager Threat Defense Interfaces.

Secure Firewall Migration Tool

To ensure that the Check Point configuration is migrated correctly, map the Check Point interfaces to the appropriate threat defense interface objects, security zones, and interface groups. For more information, see Map Check Point Interfaces to Security Zones and Interface Groups.

Secure Firewall Migration Tool

Optimize and review the configuration carefully and validate that it is correct and matches how you want to configure the threat defense device. For detailed steps, see Optimize, Review and Validate the Configuration to be Migrated.

Secure Firewall Migration Tool

This step in the migration process sends the migrated configuration to the cloud-delivered Firewall Management Center and allows you to download the post-migration report.

Local Machine

Navigate to where you downloaded the post migration report and review the report. For detailed steps, see Review the Post-Migration Report and Complete the Migration.

Cloud-Delivered Deploy the migrated configuration from the cloud-delivered firewall

Firewall

management center to threat defense.

Management Center

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 14

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrating Fortinet Firewall with the Firewall Migration Tool in Cisco Defense Orchestrator
Migrating Fortinet Firewall with the Firewall Migration Tool in Cisco Defense Orchestrator
The Firewall migration tool in CDO allows migrating configurations from Fortinet firewall to threat defense devices managed by your cloud-delivered Firewall Management Center. You can manually derive the configuration file from your Fortinet firewall and upload it to the migration tool to begin with your migration. To learn about supported Fortinet firewall configurations, see Fortinet Configuration Support. Select Source Configuration On the Select Source Configuration page, choose Fortinet (5.0+) and click Start Migration. Click Upload to choose the Fortinet configuration file and click Next. Select Target In the Select Target page, the cloud-delivered Firewall Management Center provisioned on your CDO tenant is selected by default, and the threat defense devices managed by that management center are listed. You can choose the threat defense device you wish to migrate the configuration to, and proceed with the migration. Note that the threat defense devices listed are displayed either as In Use or Available based on whether the device is being used in another migration instance. However, you can perform an override by clicking Change Device Status, selecting the device from the In Use list, and clicking Continue, which will make the device available for being selected as the target. Choosing Proceed without FTD pushes only NAT objects, ACLs, and port objects to the cloud-delivered Firewall Management Center. For more information about the commonly used ASA features and their equivalent threat defense features, see Cisco Secure Firewall ASA to Threat Defense Feature Mapping guide.
Caution Changing the device status from In Use to Available impacts the ongoing migration instance that is using the device already. We recommend that you exercise caution when doing this.
The flowchart that follows illustrates the step-by-step procedure for migration Fortinet firewall configurations to threat defense devices: To perform the procedure with more detailed steps, continue to Export Fortinet Firewall Configuration from Fortinet Firewall GUI in Migrating Fortinet Firewall to Secure Firewall Threat Defense with the Migration Tool guide.
Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 15

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrating Fortinet Firewall with the Firewall Migration Tool in Cisco Defense Orchestrator

Workspace Cisco Defense Orchestrator
Cisco Defense Orchestrator Fortinet Firewall
Secure Firewall Migration Tool Secure Firewall Migration Tool
Secure Firewall Migration Tool Secure Firewall Migration Tool

Steps

Log in to your CDO tenant, navigate Tools & Services > Firewall Migration

Tool, and click the blue plus instance.

button to start provisioning a new migration

After your migration instance is ready, click Launch and choose Fortinet (5.0+).

Export the Fortinet configuration to the local system. To export the configuration from Fortinet firewall, see Export the Configuration from Fortinet Firewall.

Upload the Fortinet config file exported from Fortinet firewall, see Upload the Fortinet Configuration File.

In this step, you can specify the destination parameters for the migration. For detailed steps, see Specify Destination Parameters for the Secure Firewall Migration Tool.
.

Navigate to where you downloaded the pre migration report and review the report. For detailed steps, see Review the Pre-Migration Report.

To ensure that the Fortinet configuration is migrated correctly, map the Fortinet interfaces to the appropriate threat defense interface objects, security zones, and interface groups. For detailed steps, see Map Fortinet Firewall Configurations with Secure Firewall Device Manager Threat Defense Interfaces.

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 16

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrating Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator

Workspace

Steps

Secure Firewall Migration Tool

Map the Fortinet interfaces to the appropriate security zones, see Map Fortinet Interfaces to Security Zones for detailed steps.

Secure Firewall Migration Tool

Optimize and review the configuration carefully and validate that it is correct and matches how you want to configure the threat defense device. For detailed steps, see Optimize, Review and Validate the Configuration to be migrated.

Secure Firewall Migration Tool

This step in the migration process sends the migrated configuration to the cloud-delivered Firewall Management Center and allows you to download the post-migration report. For detailed steps, see Push the Migrated Configuration to Management Center.

Local Machine

Navigate to where you downloaded the post migration report and review the report. For detailed steps, see Review the Post-Migration Report and Complete the Migration.

Management Center Deploy the migrated configuration from the cloud-delivered Firewall Management Center to threat defense.

Migrating Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
Select Source Configuration
You can migrate configurations from your Palo Alto Networks firewall by choosing Palo Alto Networks (6.1+) in the Source Firewall Vendor drop-down and manually uploading the derived configuration file to Firewall Migration Tool. To read about the Palo Alto Networks firewall configurations that are supported for migration and the limitations around them, see Guidelines and Limitations in the Migrating Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Migration Tool book.
Select Target
In the Select Target page, the cloud-delivered Firewall Management Center provisioned on your CDO tenant is selected by default, and the threat defense devices managed by that management center are listed. You can choose the threat defense device you wish to migrate the configuration to, and proceed with the migration.
Note that the threat defense devices listed are displayed either as In Use or Available based on whether the device is being used in another migration instance. However, you can perform an override by clicking Change Device Status, selecting the device from the In Use list, and clicking Continue, which will make the device available for being selected as the target. Choosing Proceed without FTD pushes only NAT objects, ACLs, and port objects to the cloud-delivered Firewall Management Center. For more information about the commonly used ASA features and their equivalent threat defense features, see Cisco Secure Firewall ASA to Threat Defense Feature Mapping guide.

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 17

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator Migrating Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
Caution Changing the device status from In Use to Available impacts the ongoing migration instance that is using the device already. We recommend that you exercise caution when doing this.

To perform the migration with more detailed steps, continue to Export the Check Point Configuration Files in Migrating Check Point Firewall to Secure Firewall Threat Defense with the Migration Tool book.

Workspace

Steps

Cisco Defense Orchestrator

Log in to your CDO tenant, navigate Tools & Services > Firewall Migration

Tool, and click the blue plus instance.

button to start provisioning a new migration

Cisco Defense Orchestrator

Launch the migration instance from CDO and choose Palo Alto Networks (6.1+).

Palo Alto Networks Export the Configuration File: To export the configuration from Palo Alto

Firewall

Networks Firewall, see Export the Configuration from Palo Alto Networks.

Secure Firewall Migration Tool

Specify the destination parameters for the migration.

Secure Firewall Migration Tool

Navigate to where you downloaded the pre migration report and review the report. For detailed steps, see Review the Pre-Migration Report.

Secure Firewall Migration Tool

To ensure that the PAN configuration is migrated correctly, map the PAN interfaces to the appropriate threat defense interface objects, security zones, and interface groups. For detailed steps, see Map PAN Firewall Configurations with Secure Firewall Management Center Threat Defense Interfaces.

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator 18

Migrating Firewalls with the Firewall Migration Tool in Cisco Defense Orchestrator