Unsupported Features

The following migration features are not currently supported:

  • Migrate a threat defense device part of a cluster.


    You can onboard already-clustered devices that have been configured to be managed by cloud-delivered Firewall Management Center. You can also cluster standalone devices after onboarding them to cloud-delivered Firewall Management Center.

  • Migrate a threat defense device registered only for analytics-only with the management center.

The following configuration are not imported from the management center to CDO as part of migration:

  • Custom Widgets, Application Detectors, Correlation, SNMP and Email Alerts, Scanners, Groups, Dynamic Access Policy, Custom AMP Configuration, Users, Domains, Scheduled Deployment Tasks, ISE configuration, Scheduled GeoDB Updates, Threat Intelligence Director configuration, Dynamic Analysis Connections.

  • ISE internal certificate object is not imported as part of the migration. You must export a new system certificate or a certificate and its associated private key from ISE and import it into CDO.

Secure Firewall Recommended Rules

Migrating threat defense to the cloud mirates the rule recommendations that are already associated with any of the intrusion policies. However, the cloud-delivered Firewall Management Center does not allow the generation of new rule recommendations or auto-update the already migrated recommendations post migration. This is because the cloud-delivered Firewall Management Center does not support rule recommendations. See Auto Cisco Recommended Rules.

Custom Network Analysis

If the device is associated with a custom network analysis policy, you must remove all references to this policy from the on premise before migration.

  1. Log on to the on premise management center.

  2. Choose Policies > Access Control.

  3. Click the edit icon on the access control policy you want to disassociate the custom NAP and then click the Advanced tab.

  4. In the Network Analysis and Intrusion Policies area, click the edit icon.

  5. In the Default Network Analysis Policy list, select a system-provided policy.

  6. Click OK.

  7. Click Save to save the changes and then click Deploy to download the changes to the device.

After migration, you can manually create the Network Analysis Policy in CDO.