User Guide for CISCO models including: 1700 Secure Firewall Management Center, 1700 Secure, Firewall Management Center, Management Center
Cisco Secure Firewall Management Center Model Migration Guide - Cisco
File Info : application/pdf, 18 Pages, 2.24MB
DocumentDocumentCisco Secure Firewall Management Center Model Migration Guide First Published: 2019-09-23 Last Modified: 2023-11-27 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 1 C H A P T E R About Secure Firewall Management Center Model Migration Secure Firewall Management Center allows you to migrate from one management center model to another management center model. After the migration, configurations and events from the source management center are available in the target management center. From Version 7.2, Firepower Management Center (FMC) is rebranded as Secure Firewall Management Center (management center). Firepower Threat Defense (FTD) is rebranded as Secure Firewall Threat Defense (threat defense). This chapter contains the following sections: · What's New in Management Center Model Migration, on page 1 · Supported Migration Paths, on page 1 What's New in Management Center Model Migration Feature Version Migrate Firepower Management Center 1000, 2500, or 4500 to Secure 7.4.x Firewall Management Center 1700, 2700, or 4700 Migrate Firepower Management Center 1600, 2600, or 4600 to Secure 7.4.x Firewall Management Center 1700, 2700, or 4700 Migrate Firepower Management Center 4600 to Secure Firewall Management Center Virtual 300 (FMCv300) for AWS 7.4.x Supported Migration Paths This guide describes the new features of the on-prem to on-prem model migration, which was first introduced in Management Center Version 6.5. If you want to migrate Management Center 1000/2500/4500/1600/2600/4600 to a cloud-delivered Firewall Management Center (cdFMC), see the chapter Migrate On-Prem Management Center Managed Secure Firewall Cisco Secure Firewall Management Center Model Migration Guide 1 Supported Migration Paths About Secure Firewall Management Center Model Migration Threat Defense to Cloud-Delivered Firewall Management Center in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator. The following table lists the supported target management center models that you can migrate to from your source (current) management center model. Maximum Source Model Managed Devices Target Model FMC FMC FMC Management Management Management FMCv300 FMCv300 1600 2600 4600 Center 1700 Center 2700 Center 4700 (VMware) (AWS) 2 FMCv2 (VMware) Yes Yes Yes -- -- -- Yes -- 10 FMCv10 (VMware) Yes Yes Yes -- -- -- Yes -- 25 FMCv25 (VMware) Yes Yes Yes -- -- -- Yes -- 50 FMC 1000 Yes Yes Yes Yes Yes Yes Yes -- 50 FMC 1600 -- Yes Yes Yes Yes Yes Yes -- 250 FMC 2000 -- Yes Yes -- -- -- Yes -- 300 FMC 2500 -- Yes Yes -- Yes Yes Yes -- 300 FMC 2600 -- -- Yes -- Yes Yes Yes -- 300 FMCv300 (VMware) -- Yes Yes -- -- -- -- -- 750 FMC 4000 -- -- Yes -- -- -- -- -- 750 FMC 4500 -- -- Yes -- -- Yes -- -- 750 FMC 4600 -- -- -- -- -- Yes -- Yes 50 Management Center -- -- -- Yes Yes Yes -- -- 1700 300 Management Center -- -- -- -- 2700 Yes Yes -- -- 1000 Management Center -- -- -- -- -- Yes -- -- 4700 Cisco Secure Firewall Management Center Model Migration Guide 2 2 C H A P T E R Migrate Your Management Center from the Source Model to the Target Model This chapter provides information about the prerequisites and the workflow for the management center model migration. · Prepare for Migration, on page 3 · Standalone Management Center Model Migration Workflow, on page 6 · Management Center High-Availability Model Migration Workflow, on page 8 · How to Use the Management Center Model Migration Script, on page 11 · Troubleshooting Management Center Model Migration, on page 12 Prepare for Migration General Prerequisites · See Supported Migration Paths, on page 1 to determine which target model you can migrate to from your source model. · Management center model migration supports all management center licensing modes, including evaluation, connected, and Specific License Reservation (SLR). · Ensure that the target management center has the same number of interfaces as your source management center. · Verify that the target management center version matches the source management center version (including patch,Vulnerability Database [VDB], Lightweight Security Package [LSP], and Snort Rule Update [SRU]). To verify, in each management center choose Help > About. · Verify that all the pending deployments are completed successfully. · Configure the backup file in the source management center: 1. Choose System ( ) > Backup/Restore. 2. Click the Backup Mangement tab and click Firewall Mangement Backup. 3. Check the following check boxes: · Back Up Configuration Cisco Secure Firewall Management Center Model Migration Guide 3 Prepare for Migration Migrate Your Management Center from the Source Model to the Target Model · Backup Events · Backup Threat Intelligence Director · Confirm that you have the correct number of threat defense entitlements in Cisco Smart Software Manager (CSSM). · If a management center migrates to a higher platform and manages more threat defense devices, you must acquire the required licenses for the additional threat defense devices. · If the source management center is Unified Capabilities Approved Products List (UCAPL) compliant or Common Criteria (CC) compliant, after migration, the target management center will also be UCAPL or CC compliant. · For management center HA migrations: · If the target management centers are in HA, you must pause the synchronization in the target management centers before the migration. · Ensure that you meet all the HA requirements. For more information, see: · For versions 6.5 to 7.1, see the Requirements for Firepower Management Center High Availability topic in the Firepower Management Center Configuration Guide. · For Version 7.2 and later, see the Requirements for Management Center High Availability topic in the Cisco Secure Firewall Management Center Administration Guide. · After migration, you must deregister the licenses from the source management center and register the licenses in the target management center. · After migration, if you want to manage a different group of threat defense devices in the source management center: · Ensure that source management center cannot reach the stale threat defense devices. · Delete the stale devices that are now managed by the target management center. Note If the source management center can reach the stale devices, these devices will be deregistered from the target management center. Prerequisites for Migrating Management Center 1000, 2500, or 4500 to Management Center 1700, 2700, or 4700 1. Ensure that Management Center 1000, 2500, or 4500 and all the corresponding managed threat defense devices are Version 7.0.x. We recommend that you use Version 7.0.5. 2. Upgrade Management Center 1000, 2500, or 4500 from Version 7.0.x to 7.4.x. This upgrade is only for migration. For more information about the upgrade, see the Cisco Firepower Management Center Upgrade Guide, Version 6.07.0 Cisco Secure Firewall Management Center Model Migration Guide 4 Migrate Your Management Center from the Source Model to the Target Model Prepare for Migration Prerequisites for Management Center 1600, 2600, or 4600 to Management Center 1700, 2700, or 4700 · Upgrade Management Center 1600, 2600, or 4600 to 7.4.x. For more information about upgrade, see Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center. · Ensure that the source management center manages only threat defense devices with Version 7.0.x. Prerequisites for Migrating Management Center 4600 to Management Center Virtual 300 (FMCv300) for AWS · Note that Management Center Virtual 300 has lower limits than Management Center 4600. We recommend that you refer to the following table before you migrate. Table 1: Compatibility Check for Migrating Management Center 4600 to Management Center Virtual 300 for AWS Performance and Functionality Management Center 4600 (Current Management Center Virtual 300 Configuration) (Maximum Limit) Overall size (Event Storage Space) 3.2 TB 2 TB Total devices 750 300 Maximum IPS events 300 million 60 million Memory 128 GB 64 GB CPU Two Intel Xeon 4214 processors 32 vCPUs Maximum network map size (hosts/users) 600,000/600,000 150,000/150,000 Maximum event rate (events per 20,000 eps second) 12,000 eps · Ensure that the source Management Center 4600 and the target Management Center Virtual 300 for AWS are Version 7.4.x. · Ensure that Management Center Virtual 300 for AWS has a license. · From Version 7.4.x, after migration, you must update the following parameters: · IP address of the target management center · Manager details in all the managed threat defense devices. For more information, see Update the Management Center IP Address or Hostname on the Threat Defense Device, on page 12. Limitations for Migrating Management Center 1000/2500/4500/1600/2600/4600 to Management Center 1700/2700/4700 · For the migration, you can upgrade Management Center 1000, 2500, or 4500 only from Version 7.0.x to 7.4.x. Upgrades from 7.0.x to 7.1.x, 7.2.x, or 7.3.x are not available. · You cannot use Management Center 1000, 2500, or 4500 with Version 7.4.x to manage threat defense devices. Upgrades from 7.0.x to 7.4.x support only migration to Management Center 1700, 2700, or 4700. Cisco Secure Firewall Management Center Model Migration Guide 5 Standalone Management Center Model Migration Workflow Migrate Your Management Center from the Source Model to the Target Model · You cannot migrate Management Center 1000, 2500, 4500, 1600, 2600, or 4600 that manage the following types of devices: · Any threat defense device with Version 7.0.x or earlier. · NGIPSv or FirePOWER services. Standalone Management Center Model Migration Workflow The following flowchart illustrates the workflow for migrating a source management center to a target management center. Note Ensure that you meet the prerequisites described in Prepare for Migration, on page 3. Table 2: Standalone Management Center Model Migration Workflow Step Task More Info Create a backup file in the source management For versions 6.5 to 7.1, see the Back Up the FMC topic in the center. Firepower Management Center Configuration Guide. For Version 7.2 and later, see the Back Up the Management Center topic in the Cisco Secure Firewall Management Center Administration Guide. Prepare for migration. See Prepare for Migration, on page 3. Cisco Secure Firewall Management Center Model Migration Guide 6 Migrate Your Management Center from the Source Model to the Target Model Standalone Management Center Model Migration Workflow Step Task More Info Copy the generated backup file to the target management center. For versions 6.5 to 7.1, see the Restore an FMC from Backup topic in the Firepower Management Center Configuration Guide. For Version 7.2 and later, see the Restore Management Center from Backup topic in the Cisco Secure Firewall Management Center Administration Guide. Disconnect the target management center from Physically disconnect the target management center from the the network. network. Execute the migration script in the target management center. See How to Use the Management Center Model Migration Script, on page 11. Unregister your source management center from For versions 6.5 to 7.1, see the Deregister a Firepower Cisco Smart Software Manager (CSSM). Management Center from the Cisco Smart Software Manager topic in the Firepower Management Center Configuration Guide. For Version 7.2 and later, see the Deregister the Management Center topic in the Cisco Secure Firewall Management Center Administration Guide. Disconnect the source management center from Physically disconnect the source management center from the the network. network. Connect the target management center to your network. After a successful migration, the target management center gets the IP address of the source management center. If required, you can assign a new IP address to the target management center. If you change the management center IP address after migration, you must do the following: · Update the Management Center IP Address or Hostname on the Threat Defense Device, on page 12. · Update the NAT configuration between the management center and its managed devices. Update the manager details on all the managed See Update the Management Center IP Address or Hostname threat defense devices, if required. on the Threat Defense Device, on page 12. Enable smart licensing in the target management For versions 6.5 to 7.1, see the License Requirements for center. Firepower Management Center topic in the Firepower Management Center Configuration Guide. For Version 7.2 and later, see the Configure Smart Licensing topic in the Cisco Secure Firewall Management Center Administration Guide. Cisco Secure Firewall Management Center Model Migration Guide 7 Management Center High-Availability Model Migration Workflow Migrate Your Management Center from the Source Model to the Target Model Step Task More Info Verify the heartbeats for all the threat defense devices managed by the target management center. Verify that the data is migrated successfully to the target management center. Log in to the target management center. Verify that all the configurations are restored and basic management center operations such as policy editing, deployment, and scheduled jobs work as expected. Management Center High-Availability Model Migration Workflow You can migrate your management center HA setup by executing the migration script on the target primary management center, secondary management center, or both. The following flowchart illustrates the workflow for migrating your management center HA setup from the source models to the target models. Note Ensure that you meet the prerequisites described in Prepare for Migration, on page 3. Cisco Secure Firewall Management Center Model Migration Guide 8 Migrate Your Management Center from the Source Model to the Target Model Management Center High-Availability Model Migration Workflow Table 3: Firewall Management Center High-Availability Model Migration Workflow Step Task Create a backup file in each of the source management centers. The backup pauses the HA synchronization. Set up the target management centers. More Info For versions 6.5 to 7.1, see the Back Up the FMC topic in the Firepower Management Center Configuration Guide For Version 7.2 and later, see the Back Up the Management Center topic in the Cisco Secure Firewall Management Center Administration Guide. See Prepare for Migration, on page 3. Copy the generated backup files to the target management For versions 6.5 to 7.1, see the Restore an FMC from centers. Backup topic in the Firepower Management Center Configuration Guide. For Version 7.2 and later, see the Restore Management Center from Backup topic in the Cisco Secure Firewall Management Center Administration Guide. Disconnect target management centers from the network. Note If the target management centers are in HA, before the migration, you must pause the synchronization on the target management centers. Physically disconnect the target management centers from the network. Execute the migration script in the target management centers. How to Use the Management Center Model Migration Script, on page 11 Unregister your source management centers from the Cisco For versions 6.5 to 7.1, see the Deregister a Firepower Smart Software Manager (CSSM). Management Center from the Cisco Smart Software Manager topic in the Firepower Management Center Configuration Guide. For Version 7.2 and later, see the Deregister the Management Center topic in the Cisco Secure Firewall Management Center Administration Guide. Disconnect source management centers from the network. Physically disconnect the source management centers from the network. Cisco Secure Firewall Management Center Model Migration Guide 9 Management Center High-Availability Model Migration Workflow Migrate Your Management Center from the Source Model to the Target Model Step Task More Info Connect the target management centers to the network. After a successful migration, the target management centers get the IP addresses of the source management centers. If required, you can assign new IP addresses. If you change the management center IP address after migration, you must do the following: · Update the Management Center IP Address or Hostname on the Threat Defense Device, on page 12. · Update the NAT configuration between the management center and its managed devices. Update the manager details on all the managed threat defense See Update the Management Center IP Address or devices, if required. Hostname on the Threat Defense Device, on page 12. Validate connectivity between the target management centers. For versions 6.5 to 7.1, see the Viewing Firepower Management Center High Availability Status topic in the Firepower Management Center Configuration Guide. For Version 7.2 and later, see the Viewing Management Center High Availability Status topic in the Cisco Secure Firewall Management Center Administration Guide. Pause HA synchronization till the threat defenses connect to the target management centers and resume the HA synchronization. For versions 6.5 to 7.1, see the Pausing Communication Between Paired Firepower Management Centers and Restarting Communication Between Paired Firepower Management Centers topics in the Firepower Management Center Configuration Guide. For Version 7.2 and later, see the Pausing Communication Between Paired Management Centers and Restarting Communication Between Paired Management Centers topics in the Cisco Secure Firewall Management Center Administration Guide. Verify that the HA configuration of the management centers For versions 6.5 to 7.1, see the Viewing Firepower is healthy and that there are no alerts. Management Center High Availability Status topic in the Firepower Management Center Configuration Guide. For Version 7.2 and later, see the Viewing Management Center High Availability Status topic in the Cisco Secure Firewall Management Center Administration Guide. Cisco Secure Firewall Management Center Model Migration Guide 10 Migrate Your Management Center from the Source Model to the Target Model How to Use the Management Center Model Migration Script Step Task More Info Register smart licensing in the target primary active management center. For versions 6.5 to 7.1, see the License Requirements for Firepower Management Center topic in the Firepower Management Center Configuration Guide. For Version 7.2 and later, see the Configure Smart Licensing topic in the Cisco Secure Firewall Management Center Administration Guide. Verify the heartbeats for all the threat defense devices managed by the target management center. Verify that the data is migrated successfully to the target management centers. Log in to the target management center. Verify that all the configurations are restored and basic management center operations such as policy editing, deployment, and scheduled jobs work as expected. How to Use the Management Center Model Migration Script Perform the following procedure to use the migration script. Note that this procedure is only one part of the management center model migration. See Standalone Management Center Model Migration Workflow, on page 6 or Management Center High-Availability Model Migration Workflow, on page 8 for details about the full model migration workflow. Procedure Step 1 Step 2 Step 3 Log in to the target management center CLI. Run the expert command to switch to expert mode. Execute the migration command: /var/sf/backup/sf-migration.pl backup_file_path Example: root@firepower:# /var/sf/bin/sf-migration.pl /var/sf/backup/100localbackup-2023-05-20examp.tar Note that when the migration process is completed, the system reboots. What to do next Return to Standalone Management Center Model Migration Workflow, on page 6 or Management Center High-Availability Model Migration Workflow, on page 8 and complete all the remaining steps. Cisco Secure Firewall Management Center Model Migration Guide 11 Migrate Your Management Center from the Source Model to the Target Model Update the Management Center IP Address or Hostname on the Threat Defense Device Update the Management Center IP Address or Hostname on the Threat Defense Device After migration, if the network configuration of the target management center is different from that of the source management center, you must update the IP address or hostname of the management center on each threat defense device. Procedure Step 1 From the threat defense CLI, get the unique identifier for the management center using the show managers command: Example: > show managers Type Host Display name Identifier Registration Management type : Manager : xx.xx.x.x : xx.xx.x.x : f7ffad78-bf16-11ec-a737-baa2f76ef602 : Completed : Configuration and analytics Step 2 Step 3 Step 4 Update the management center IP address or hostname using the configure manager command: configure manager edit fmc_uuid hostname fmc_ipaddress Example: > configure manager edit f7ffad78-bf16-11ec-a737-baa2f76ef602 hostname xx.xx.x.x Updating hostname from xx.xx.x.x to xx.xx.x.x Manager hostname updated. Update the management center display name using the configure manager command: configure manager edit fmc_uuid displayname fmc_ipaddress Example: > configure manager edit f7ffad78-bf16-11ec-a737-baa2f76ef602 displayname xx.xx.x.x Updating displayname from xx.xx.x.x to xx.xx.x.x Manager displayname updated. Verify the updated management center configuration using the show managers command again. Troubleshooting Management Center Model Migration Table 4: Management Center Model Migration Error Messages Error Message Migration data size is greater than the storage space of the target management center. Recommended Action Increase the size of the target management center. Cisco Secure Firewall Management Center Model Migration Guide 12 Migrate Your Management Center from the Source Model to the Target Model Troubleshooting Management Center Model Migration Error Message Recommended Action Interface count mismatch. The source and target management centers must have the same number of interfaces. See Prepare for Migration, on page 3. No migration path exists from the Secure Firewall Management Center 4500 to Secure Firewall Management Center 2700. See Supported Migration Paths, on page 1. No migration path exists from the You can migrate a Secure Firewall Management Secure Firewall Management Center 4600 to the Center 4600 to only a Management Center Virtual Secure Firewall Management Center for VMware 300 (FMCv300) for AWS or Secure Firewall 300. Management Center 4700. See Supported Migration No migration path exists from the Paths, on page 1. Secure Firewall Management Center 4600 to Secure Firewall Management Center for Azure 300. Device count is more than 300. 1. Reduce the device count in the source management center (Secure Firewall Management Center 4600). 2. Create a backup file in the source management center before migrating to the target management center (Management Center Virtual 300 [FMCv300] for AWS). See Prepare for Migration, on page 3. Cisco Secure Firewall Management Center Model Migration Guide 13 Troubleshooting Management Center Model Migration Migrate Your Management Center from the Source Model to the Target Model Cisco Secure Firewall Management Center Model Migration Guide 14 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version. Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) © 2023 Cisco Systems, Inc. All rights reserved.
Cisco Trademarks - CiscoCisco Secure Firewall Management Center - Configuration Guides - CiscoManaging Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator - Migrate On-Prem Management Center Managed Secure Firewall Threat Defense to Cloud-delivered Firewall Management Center [Cisco Defense OrchestraCisco Firepower Management Center Upgrade Guide, Version 6.0–7.0 - Cisco