Supported Features

Handling Shared Policies and Objects

When the migration process begins, the shared policies and associated objects that are associated with the threat defense devices are imported first and then followed by the device configuration.

The following shared policies are imported to CDO after changing the manager on threat defense devices:

  • Access control

  • IPS

  • SSL

  • Prefilter

  • NAT

  • QoS

  • Identity

  • Platform settings

  • Flex config

  • Network analysis

  • DNS

  • Malware & file

  • Health

  • Remote Access VPN

  • Site-to-Site VPN

If a policy or object in CDO has the same name as the policy or object that is imported from the on-prem management center, CDO takes the following actions after changing the management successfully.

Policies, Objects

Condition

Action

Access control, SSL, IPS, Prefilter, NAT, QoS, Identity, Platform settings, Network analysis, DNS, Malware & File policies.

Name of the cloud-delivered Firewall Management Center policy matches the on-prem management center policy.

The cloud-delivered Firewall Management Center policy is used instead of the imported policy from the on-prem management center.

RA VPN Default group policy DfltGrpPolicy

The default group policyDfltGrpPolicy from the on-prem management center is ignored.

The existing cloud-delivered Firewall Management Center default group policy DfltGrpPolicy is used instead.

Network, Port objects

Name and content of network and port objects in the cloud-delivered Firewall Management Center match the ones in the on-prem management center.

The existing cloud-delivered Firewall Management Center network and port objects with the same name and content are used instead of imported objects from the on-prem management center.

If the object has the same name but different content, an object override is created. See Object Overrides.

All other objects

The existing cloud-delivered Firewall Management Center object is used instead of the imported object from the on-prem management center.

Any Syslog alert object that is associated with the access control policy is imported into CDO.

Migration Support for Threat Defense in a High-Availability Pair

You can migrate a device in a high-availability pair to the cloud-delivered Firewall Management Center. The device management of both active and standby devices shifts to the cloud-delivered Firewall Management Center.

Important

We strongly recommend committing the manager changes before performing any advanced operations, such as creating high-availability configurations or breaking high-availability configurations from the management center on the devices that are being migrated.

Performing such tasks during the evaluation period is not supported and may result in migration commit failure.

Migration Support for Management Center in a High Availability Pair

You can migrate the threat defense devices in a high availability from on-prem management center to the cloud.

The on-prem management center can be onboarded using SecureX or credentials with the SDC method. Always onboard the active management center and not the standby.

Note

If you have already onboarded a standalone management center and later configured it as a standby, delete the standby management center and onboard the active one.

Points to Remember:

  • SecureX Onboarding Method

    • High availability break is not supported during the 14 days evaluation period. You can break high availability after committing the changes manually or automatically after the evaluation period.

    • High availability switchover is supported during the 14 days evaluation period.

  • Credentials Onboarding Method Using SDC

    • High availability break or high availability switchover is not supported during the 14 days evaluation period. You can perform these operations after committing the changes manually or automatically after the evaluation period.

    • After a switchover, onboard the new active unit, which was previously in standby mode, and then start a migration job on the devices.

Migration Support for Threat Defense Cluster

Migration of the threat defense cluster from the on-prem management center to the cloud-delivered Firewall Management Center is supported as long as the minimum supported versions of the threat defense on the following platforms are met.

Secure Firewall Threat Defense Platforms

Minimum Secure Firewall Threat Defense Version for Cluster Migration

Minimum On-Prem Management Center Version for Cluster Migration

VMware, KVM

7.2.1

7.4.1

AWS, GCP

7.2.1

7.4.1

Azure

7.3

7.4.1

Secure Firewall 3100

7.2.1

7.4.1

Firepower 4100

7.0.6

7.4.1

Secure Firewall 4200

7.4

7.4.1

Firepower 9300

7.0.6

7.4.1

Important

Before migrating the threat defense cluster, it is important to keep in mind the following points:

  • Do not attempt to migrate the threat defense cluster during any clustering-related operations initiated from the on-prem management center.

  • After the cluster migration, it is recommended to commit the manager changes manually before carrying out any advanced operations, such as adding a node, breaking a node, or breaking a cluster from the on-prem management center on the clusters. This is because performing such tasks during the evaluation period is not supported and may result in migration commit failure.