Migrate Threat Defense to Cloud-delivered Firewall Management Center


Step 1

In the navigation bar on the left, choose Tools & Services > Migrations > Migrate FTD to cdFMC.

Step 2

Click and choose On-Prem FMC-managed FTD to cdFMC.

You can initiate only one migration job at one time.

Step 3

In the Select OnPrem FMC area, perform the following:

  1. You can click the Onboard an FMC link to onboard the on-prem management center if you have not done already. See Onboard an FMC.

  2. Select the on-prem management center from the available list and click Next.

In the Select Devices step, you will see the threat defense devices that the selected on-prem management center manages. If a high-availability pair is set up on the on-premise on-prem management center, the high availability node will be shown instead of the active and standby devices.

The Last Synced time field indicates the time that is elapsed since the device configuration is synchronized into the on-prem management center. You can click Sync from OnPrem FMC Now to fetch the latest device changes.

Step 4

In the Select Devices step, perform the following:

  1. Select the devices that you want to migrate.

    These devices can include standalone, high-availability pairs, or clusters. If you have a high-availability pair or a cluster, select the node that represents it. Also, you can hover your mouse pointer over the cluster to view more details about the control node.

    • The devices running on unsupported versions are not available for selection.

    • The devices that are registered for analytics only with the on-prem management center or have pending changes to be deployed are not eligible for migration.

    • When you select a device that is associated with a site-to-site VPN topology, CDO automatically selects its peer devices belonging to either the same topology or a different topology, because all devices in the site-to-site VPN topology must be migrated together for a successful migration to take place. The wizard does not list the extranet devices, if any. However, CDO migrates extranet devices.

      The S2S VPN Topology column indicates the number of site-to-site VPN topologies in which a selected device participates. You click the topology link to view the topologies and devices that are migrated along with the selected device. This field is not applicable to devices that are not part of the site-to-site VPN topology.

    • A high availability pair is presented as a single node. You must select this node to include active and standby devices in the migration.

  2. In the Multi-Device Action list, you can choose a common action to apply on all devices.

  3. In the Commit Action column, you can choose one of the following actions for the selected device:

    • Retain on OnPrem FMC for Analytics: After the migration process is completed, the analytics management for selected threat defense devices is retained on the on-prem management center.

    • Delete FTD from OnPrem FMC: After the migration process is completed, the selected devices are removed from the on-prem management center and are available for CDO to handle the analytics. You must configure the devices to send events to CDO for managing analytics. When the devices are deleted from the on-prem management center, they cannot be revoked.


      For the on-prem management center 1000/2500/4500, when you select devices to migrate, make sure you choose Delete FTD from OnPrem FMC. Note that the device is not fully deleted unless you commit the changes or 14 days pass.


The actions that are specified here are committed automatically after the 14 days evaluation period or after the changes are committed manually.

Step 5

(Optional) Check the Pause migration to review imported shared policies check box.

When you enable this option, the migration process will pause after the shared access policies like Access Control and NAT policies are staged in the cloud-delivered Firewall Management Center. This pause ensures that the evaluation doesn't start and that the device's current state and manager remain unaffected. It gives you ample time to review the imported configuration for accuracy. After you've assessed everything, you can resume the migration during the planned migration interval, which will then kick off the 15-day evaluation period.

Step 6

Check the Auto deploy to FTDs after successful migration check box to deploy the migrated configuration automatically to the device after successfully migrating and registering the device with the cloud-delivered Firewall Management Center.

However, if you prefer to review and manually deploy the configuration from the cloud-delivered Firewall Management Center after successful migration, you can uncheck this option and proceed to the next step.

Step 7

Click Migrate FTD to cdFMC.

Step 8

Click View Migration to Cloud Progress to see the progress.

What to do next

If you have paused the migration for review, you must manually click Proceed Migration to import the remaining configuration. See Proceed Migration Process.

You can view the overall and individual status of migration jobs and generate a report when a job is completed successfully. See View a Threat Defense Migration Job.