Before You Begin Migration

Before you begin the process, ensure that the following prerequisites are met:

  • A provisioned CDO tenant is registered with a Smart License.

  • DNS Server Configuration:

    The threat defenses must have correct DNS server configuration to resolve cloud-delivered Firewall Management Center hostnames. To check device connectivity with cloud-delivered Firewall Management Center, see Check device connectivity with cloud-delivered Firewall Management Center.

  • Network Access:

    The required network access is enabled for threat defenses to reach cloud-delivered Firewall Management Center through the TCP port 8305. Note that outbound connectivity from the threat defenses to cloud-delivered Firewall Management Center is sufficient.

  • Threat Defense Outbound Port 443:

    The threat defenses must have outbound port 443 open to access cloud to use CDO event viewer.

  • On-Prem Management Center Outbound Port 443:

    The on-prem management center must have outbound port 443 open to access the “*.cdo.cisco.com” domain.

  • The on-prem management center is onboarded to CDO. Onboarding the on-prem management center also onboards all the threat defense devices registered to that on-prem management center. See Onboard an On-Prem FMC.

    Note

    Create a new user in the on-prem management center with Administrator role or a custom user role with "Devices" and "System" permissions for onboarding purposes.

    Caution

    If you onboard an on-prem management center to CDO and simultaneously sign in to that on-prem management center with the same user name, the onboarding fails.

  • For the on-prem management center 1000/2500/4500 migration:

  • The threat defense devices must be synchronized and not have pending changes on them. The migration fails on a device if CDO identifies pending changes on that device.

  • All peer devices in a site-to-site VPN topology must be online and have no pending deployment.

  • On-Prem Management Center should allow outbound HTTP/HTTPS to upload configurations to Amazon S3.

  • CDO imports Syslog alert object used in the access control policy from the on-prem management center. If CDO already contains an alert object with the same name but a different type (SNMP, Email), it is reused during configuration import.

    The user must check whether the Syslog object name matches the existing SNMP or Email alert object in CDO. If the name matches, you must rename the Syslog object in the on-prem management center before starting the migration process.

  • If you attempt to migrate firewalls with modified system defined FlexConfig text objects from an on-prem management center to the cloud-delivered Firewall Management Center, the values of the modified system defined FlexConfig text objects are not migrated to the cloud-delivered Firewall Management Center, and the deployment will fail.

    To avoid this, perform these tasks before you start the migration:

    • Copy the modified system defined FlexConfig text object values from the on-prem management center to cloud-delivered Firewall Management Center before migration.

    • Initiate migration from on-prem management center to cloud-delivered Firewall Management Center after verifying the predefined FlexConfig text objects.

High Availability Failover Link Must Be Up

The high availability failover link should be up for a successful migration. Before initiating the migration process on CDO, determine the health status of the failover link on the on-prem management center.

  1. Identify the failover interfaces of all HA pairs you want to migrate to cloud-delivered Firewall Management Center.

    1. Choose Devices > Device Management.

    2. Next to the device high-availability pair you want to edit, click Edit ( ).

    3. Click the High Availability tab.

    4. In the High Availability Link area, the Interface field shows the failover interface used in the pair.

    5. Identify the interfaces used for failover communication if there are multiple HA pairs for migration.

  2. Check the health status of the failover interfaces.

    1. Choose Devices > Device Management.

    2. Next to the device high-availability pair you want, click Health Monitor.

    3. In the left pane, expand the high availability pair to see the threat defense devices.

    4. Click the device indicated in the exclamation mark ( ).

    5. Click the Critical button at the top.

      The Interface Status shows the errors associated with interfaces.

    6. If the failover interface is down, the Interface ‘failover_interfacename’ has no link message is displayed.

      Note

      However, you can migrate the HA pair to cloud-delivered Firewall Management Center if you see any other data interface issues except for the failover interface.

    7. Rectify the issue and click Sync from onprem fmc now to obtain the latest changes on the device.