Migrating an ASA Configuration to an FDM-Managed Device Template


Secure Firewall device manager (FDM) support and functionality is only available upon request. If you do not already have Firewall device manager support enabled on your tenant you cannot manage or deploy to FDM-managed devices. Send a request to the support team to enable this platform.

Cisco Defense Orchestrator helps you migrate your ASA to an FDM-managed device. CDO provides a wizard to help you migrate these elements of the ASA's running configuration to an FDM-managed device template:

  • Access Control Rules (ACLs)

  • Interfaces

  • Network Address Translation (NAT) rules

  • Network objects and network group objects

  • Routes

  • Service objects and service group objects

  • Site-to-site VPN

Once these elements of the ASA running configuration have been migrated to an FDM-managed device template, you can then apply the FDM template to a new FDM-managed device that is managed by CDO. The FDM-managed device adopts the configurations defined in the template, and so, the FDM-managed device is now configured with some aspects of the ASA's running configuration.

Other elements of the ASA running configuration are not migrated using this process. Those other elements are represented in the FDM-managed device template by empty values. When the template is applied to an FDM-managed device, we apply values we migrated to the new FDM-managed device and ignore the empty values. Whatever other default values the new FDM-managed device has, it retains. Those other elements of the ASA running configuration that we did not migrate, will need to be recreated on the FDM-managed device outside the migration process.

See Migrating an ASA to an FDM-Managed Device Using Cisco Defense Orchestrator for a full explanation of the process of migrating an ASA to an FDM-managed device using CDO.