Migration Procedure

Before you begin

Before you begin the process, ensure that the following prerequisites are met:

  • A provisioned CDO tenant.

  • CDO is registered with Smart License.

  • The management center is onboarded to CDO. Onboarding the management center also onboards all the threat defense devices registered to that management center. See Onboard an FMC.

    Note

    Create a new user in the management center with Administrator role or a custom user role with "Devices" and "System" permissions for onboarding purposes.

    Caution

    If you onboard an on-prem management center to CDO and simultaneously sign in to that on-prem management center management center with the same user name, the onboarding fails.

  • The threat defense devices must be synchronized and have no pending changes on them. The migration job fails on a device if CDO identifies pending changes on that device.

  • Management Center should allow outbound HTTP/HTTPS to upload configurations to Amazon S3.

  • CDO imports Syslog alert object used in the access control policy from the management center. If CDO already contains an alert object with the same name but a different type (SNMP, Email), it is reused during configuration import.

    The user must check whether the Syslog object name matches the existing SNMP or Email alert object in CDO. If the name matches, you must rename the Syslog object in the on premise management center before starting the migration process.

  • If you attempt to migrate firewalls with modified system defined FlexConfig text objects from an on-prem management center to the cloud-delivered Firewall Management Center, the values of the modified system defined FlexConfig text objects are not migrated to the cloud-delivered Firewall Management Center, and the deployment will fail.

    To avoid this, perform these tasks before you start the migration:

    • Copy the modified system defined FlexConfig text object values from the on-prem management center to cloud-delivered Firewall Management Center before migration.

    • Initiate migration from on-prem management center to cloud-delivered Firewall Management Center after verifying the predefined FlexConfig text objects.

Procedure


Step 1

In the navigation bar on the left, click Tools & Services > Migrations > Migrate FTD to Cloud.

Step 2

Click icon to initiate the threat defense migration process.

Note
You can initiate only one migration job at one time.

Step 3

In the Select OnPrem FMC step, perform the following:

  1. You can click the Onboard an FMC link to onboard the on premise management center if you have not done already. See Onboard an FMC.

  2. Select the management center from the available list and click Next.

In the Select Devices step, you will see the threat defense devices that the selected management center manages.

The Last Synced time field indicates the time elapsed since the device configuration synchronized into the management center. You can click Sync from OnPrem FMC Now to fetch the latest device changes.

Step 4

In the Select Devices step, perform the following:

  1. Select the devices you want to migrate.

    Note
    • The devices running on unsupported versions are not available for selection.

    • The devices that are registered for analytics only with the management center or have pending changes to be deployed are not eligible for migration.

    • CDO allows the selection of only the active device in a high availability pair. After the active device's manager is changed successfully, CDO automatically changes the standby device's manager and retains the high availability configuration on the devices.

  2. In the Multi-Device Action list, you can choose a common action to apply on all devices.

  3. In the Commit Action column, you can choose one of the following actions for the selected device:

    • Retain on OnPrem FMC for Analytics: After the migration process is completed, the analytics management for selected threat defense devices is retained on the management center.

    • Delete FTD from OnPrem FMC: After the migration process is completed, the selected devices are removed from the management center and are available for CDO to handle the analytics. You must configure the devices to send events to CDO for managing analytics. Once the devices are deleted from the management center, they cannot be revoked.

      Note

      The device is not deleted from the management center unless the changes are committed, either automatic or manual.

Note

The actions specified here are committed automatically after 14 days evaluation period or after the changes are committed manually.

Step 5

Click Migrate FTD to Cloud.

Step 6

Click View Migration to Cloud Progress to see the progress of your job.


What to do next

You can view the overall and individual status of migration jobs and generate a report when a job is completed successfully. See View Threat Defense Migration Jobs.