Unsupported Features

Migration of a threat defense device registered only for analytics-only with the management center feature is not currently supported.

The following configuration are not imported from the management center to CDO as part of migration:

  • Custom Widgets, Application Detectors, Correlation, SNMP and Email Alerts, Scanners, Groups, Dynamic Access Policy, Custom AMP Configuration, Users, Domains, Scheduled Deployment Tasks, ISE configuration, Scheduled GeoDB Updates, Threat Intelligence Director configuration, Dynamic Analysis Connections.

  • ISE internal certificate object is not imported as part of the migration. You must export a new system certificate or a certificate and its associated private key from ISE and import it into CDO.

Secure Firewall Recommended Rules

Migrating threat defense to the cloud mirates the rule recommendations that are already associated with any of the intrusion policies. However, the cloud-delivered Firewall Management Center does not allow the generation of new rule recommendations or auto-update the already migrated recommendations post migration. This is because the cloud-delivered Firewall Management Center does not support rule recommendations. See Auto Cisco Recommended Rules.

Custom Network Analysis

If the device is associated with a custom network analysis policy, you must remove all references to this policy from the on premise before migration.

  1. Log on to the on premise management center.

  2. Choose Policies > Access Control.

  3. Click the edit icon on the access control policy you want to disassociate the custom NAP and then click the Advanced tab.

  4. In the Network Analysis and Intrusion Policies area, click the edit icon.

  5. In the Default Network Analysis Policy list, select a system-provided policy.

  6. Click OK.

  7. Click Save to save the changes and then click Deploy to download the changes to the device.

After migration, you can manually create the Network Analysis Policy in CDO.