Migrating ASA Firewall to Firepower Threat Defense with the

Firepower Migration Tool

First Published: 2018-07-16
Last Modified: 2020-08-20

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
© 2020 Cisco Systems, Inc. All rights reserved.
 CONTENTS

CHAPTER 1 About the Firepower Migration Tool 1

About the Firepower Migration Tool 1

History of the Firepower Migration Tool 4
Licensing for the Firepower Migration Tool 8
Cisco Success Network 8
Related Documentation 9

CHAPTER 2 Prepare for Migration 11

Guidelines and Limitations for the Firepower Migration Tool 11

Guidelines and Limitations for ASA Configurations 13
Objects in ASA and Firepower Threat Defense 17
Guidelines and Limitations for Firepower Threat Defense Devices 18
Supported Platforms for Migration 19
Supported Software Versions for Migration 21
Platform Requirements for the Firepower Migration Tool 22

CHAPTER 3 Run the Firepower Migration Tool 23

Download the Firepower Migration Tool from Cisco.com 23

Obtain the ASA Configuration File 24
Export the ASA Configuration File 24
Launch the Firepower Migration Tool 25
Upload the ASA Configuration File 27
Connect to the ASA from the Firepower Migration Tool 27
Specify Destination Parameters for the Firepower Migration Tool 29
Inline Grouping 32
Review the Pre-Migration Report 33

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
iii
 Contents

Map ASA Configurations with Firepower Threat Defense Interfaces 34

Map ASA Interfaces to Security Zones and Interface Groups 35
Review and Validate the Configuration to be Migrated 37
Push the Migrated Configuration to Firepower Management Center 40
Review the Post-Migration Report and Complete the Migration 41
Uninstall the Firepower Migration Tool 44

CHAPTER 4 Troubleshooting Migration Issues 45

About Troubleshooting for the Firepower Migration Tool 45

Logs and Other Files Used for Troubleshooting 46
Troubleshooting ASA File Upload Failures 46
Troubleshooting Example for ASA: Cannot Find Member of Object Group 46
Troubleshooting Example for ASA: List Index Out of Range 47

CHAPTER 5 Migration Tool FAQs 49

Firepower Migration Tool Frequently Asked Questions 49

APPENDIX A Cisco Success Network-Telemetry Data 53

Cisco Success Network-Telemetry Data 53

APPENDIX B Migrating ASA to Firepower Threat Defense 2100 - An Example 59

Migrating ASA to Firepower Threat Defense 2100 - An Example 59
Perform the Following Tasks Before the Maintenance Window 59
Perform the Following Tasks During the Maintenance Window 60

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
iv
 CHAPTER 1
About the Firepower Migration Tool
• About the Firepower Migration Tool, on page 1
• History of the Firepower Migration Tool, on page 4
• Licensing for the Firepower Migration Tool, on page 8
• Cisco Success Network, on page 8
• Related Documentation, on page 9

About the Firepower Migration Tool

Documentation
All the information in this book Migrating ASA to Firepower Threat Defense with the Firepower Migration
Tool refers to the most recent version of Firepower Migration Tool. Follow the instructions in Download the
Firepower Migration Tool from Cisco.com to download the most recent version of the Firepower Migration
Tool.
This book covers information about the Firepower Migration Tool, right from downloading the Firepower
Migration Tool to completing the migration. It also provides troubleshooting tips to help you overcome
migration issues. To facilitate better understanding on the end-to-end migration process, this book provides
a sample migration procedure using Firepower 2100 series as an example target device. See Migrating ASA
to Firepower Threat Defense 2100 - An Example.

The Firepower Migration Tool

The Firepower Migration Tool (FMT) converts the supported ASA configuration to a supported Firepower
Threat Defense (FTD) platform. With the Firepower Migration Tool, you can automate the migration of
supported ASA features and policies. You may have to manually migrate the unsupported features.
The Firepower Migration Tool gathers the ASA information, parses it, and finally pushes it to Firepower
Management Center. During the parsing phase, the Firepower Migration Tool generates a Pre-Migration
Report that identifies the following:
• Cisco Adaptive Security Appliance (ASA) configuration items that are fully migrated, partially migrated,
unsupported for migration, and ignored for migration.
• ASA configuration lines with errors, lists the ASA CLIs that the Firepower Migration Tool cannot
recognize; this blocks migration.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
1
 About the Firepower Migration Tool
About the Firepower Migration Tool

If there are parsing errors, you can rectify the issues, reupload a new configuration, connect to the destination
device, map the ASA interfaces to FTD interfaces, map security zones and interface groups, and proceed to
review and validate your configuration. You can then migrate the configuration to the destination device.
The Firepower Migration Tool saves your progress and allows you to resume migration at two stages during
the migration process:
• Post successful completion of parsing the ASA configuration file

Note If there is parsing error or you exit before parsing, the Firepower Migration Tool
requires you to redo the activity from the beginning.

• Review and Validate page

Note If you exit the Firepower Migration Tool at this stage and relaunch, it displays
the Review and Validate page.

Console
The console opens when you launch the Firepower Migration Tool. The console provides detailed information
about the progress of each step in the Firepower Migration Tool. The contents of the console are also written
to the Firepower Migration Tool log file.
The console must stay open while the Firepower Migration Tool is open and running.

Important When you exit the Firepower Migration Tool by closing the browser on which the web interface is running,
the console continues to run in the background. To completely exit the Firepower Migration Tool, exit the
console by pressing the Command key + C on the keyboard.

Logs
The Firepower Migration Tool creates a log of each migration. The logs include details of what occurs at each
step of the migration and can help you determine the cause if a migration fails.
You can find the log files for the Firepower Migration Tool in the following location:
<migration_tool_folder>\logs

Resources
The Firepower Migration Tool saves a copy of the Pre-Migration Reports, Post-Migration Reports, ASA
configs, and logs in the resources folder.
You can find the resources folder in the following location:
<migration_tool_folder>\resources

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
2
About the Firepower Migration Tool
About the Firepower Migration Tool

Unparsed File
The Firepower Migration Tool logs information about the configuration lines that it ignored in the unparsed
file. This Firepower Migration Tool creates this file when it parses the ASA configuration file.
You can find the unparsed file in the following location: <migration_tool_folder>\resources

Search in the Firepower Migration Tool

You can search for items in the tables that are displayed in the Firepower Migration Tool, such as those on
the Review and Validate page.

To search for an item in any column or row of the table, click the Search ( ) above the table and enter the
search term in the field. The Firepower Migration Tool filters the table rows and displays only those that
contain the search term.
To search for an item in a single column, enter the search term in the Search field that is provided in the
column heading. The Firepower Migration Tool filters the table rows and displays only those that match the
search term.

Ports
The Firepower Migration Tool supports telemetry when run on one of these 12 ports: ports 8321-8331 and
port 8888. By default, Firepower Migration Tool uses port 8888. To change the port, update port information
in the app_config file. After updating, ensure to relaunch the Firepower Migration Tool for the port change
to take effect. You can find the app_config file in the following location:
<migration_tool_folder>\app_config.txt.

Note We recommend that you use ports 8321-8331 and port 8888, as telemetry is only supported on these ports. If
you enable Cisco Success Network, you cannot use any other port for the Firepower Migration Tool.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
3
 About the Firepower Migration Tool
History of the Firepower Migration Tool

History of the Firepower Migration Tool

Version Supported Features

2.2 • The Firepower Migration Tool allows you to migrate the following ASA
configuration elements to Firepower Threat Defense:
• IP SLA Monitor—The Firepower Migration Tool creates IP SLA
Objects, maps the objects with the specific static routes, and migrates
the objects to FMC. Verify the IP SLA Monitor objects against the
rules in the Review and Validate Configuration page.
• Object Group Search—The new Object Group Search functionality
in the Firepower Migration Tool allows you to optimize memory
utilization by access policy on FTD.
• Time-based objects—When the Firepower Migration Tool detects
Time-based objects that are referenced with access-rules, the
Firepower Migration Tool migrates the Time-based objects and maps
them with respective access-rules. Verify the objects against the rules
in the Review and Validate Configuration page.
Note Time-based objects are supported on FMC version 6.6
and above.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
4
About the Firepower Migration Tool
History of the Firepower Migration Tool

Version Supported Features

2.0 • The Firepower Migration Tool supports the following access control
features during migration:
• Populate Destination Security Zones—Enables mapping of destination
zones for the ACL during migration.
• Migrate Tunneled rules as Prefilter—Mapping of ASA encapsulated
tunnel protocol rules to Prefilter tunnel rules.

• You can manually map interface groups and security zones. For more
information, see Map ASA Interfaces to Security Zones and Interface
Groups.
• Policy Capacity and Limit Warning support—The Firepower Migration
Tool compares the ACE count for the migrated rules with the supported
ACE limit on the target FTD platform. It also displays an indicator and a
warning message if the total count of migrated ACEs exceeds the threshold
or if it approaches the threshold of the supported limit of the target device.
• Provides support for ACL rule categories of CSM managed configuration.
• When the source config is ASA 5505, the device-specific configs (Interface
and routes) and shared policies (NAT, ACLs, and Objects) can be migrated
only when the supported Target FTD platform is Firepower 1010 with
Firepower Management Center (FMC) version 6.5 or later.
Note You can select only FPR-1010 from the Select Device
drop-down list.
Note If the target FTD is not FPR-1010 or the target Firepower
Management Center (FMC) is before 6.5, ASA 5505 migration
support is applicable for shared policies only. Device specifics
will not be migrated.
Note L2 switch mode capability is enabled on FPR-1010 from FTD
and FMC version 6.5. To migrate ASA 5505 configuration
(device-specific configs and shared policies) to FPR-1010,
ensure that the FTD and FMC version is 6.5 or later.
Note ASA-SM migration support is for shared policies only. Device
specifics will not be migrated.
• The new optimization functionality in the Firepower Migration Tool
allows you to fetch the migration results quickly using the Search filters.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
5
 About the Firepower Migration Tool
History of the Firepower Migration Tool

Version Supported Features

1.3 • The Firepower Migration Tool allows you to connect to an ASA using
the admin credentials and Enable Password as configured on the ASA.
If ASA is not configured with Enable Password, you can leave the field
blank on the Firepower Migration Tool.
• You can now configure the batch size limit for Bulk Push in the
app_config file as follows:
• For Objects, the batch size cannot exceed 500. The Firepower
Migration Tool resets the value to 50 and proceeds with the bulk
push.
• For ACLs, Routes, and NAT, the batch size cannot exceed 1000
each. The Firepower Migration Tool resets the value to 1000 and
proceeds with the bulk push.

• The Firepower Migration Tool allows you to parse the CSM or ASDM
managed configurations.
When you opt to clear the inline grouping or ASDM managed
configurations, the predefined objects are replaced with the actual object
or member name.
If you do not clear the CSM or ASDM managed configurations, the
predefined object names will be retained for migration.
• Provides customer support to download log files, dB, and configuration
files during a migration failure. You can also raise a support case with
the technical team through an email.
• Support for migration of IPv6 configurations in Objects, Interfaces, ACL,
NAT, and Routes.
• The Firepower Migration Tool allows you to map an ASA interface name
to a physical interface on the FTD object types—Physical interfaces, port
channel, and subinterfaces. For example, you can map a port channel in
ASA to a physical interface in FMC.
• The Firepower Migration Tool provides support to skip migration of the
selected NAT rules and Route interfaces. The previous versions of the
Firepower Migration Tool provided this option for Access Control rules
only.
• You can download the parsed Access Control, NAT, Network Objects,
Port Objects, Interface, and Routes configuration items from the Review
and Validate Configuration screen in an excel or CSV format.
Note You cannot import a CSV file.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
6
About the Firepower Migration Tool
History of the Firepower Migration Tool

Version Supported Features

1.2 • Supports migration to Firepower Management Center 6.3

• Supports migration of IPv4 FQDN Objects and Groups
• Supports the show tech-support command in the manual upload method
for Multiple-Context ASA
• Supports migration to the container type FTD(MI) registered on FMC.
• Rule Action Mapping Support (Allow, Trust, Monitor, Block, or Block
with Reset) on the migrated access control rules in the Access Control
table.
• Version check for Firepower Migration Tool to ensure that you are using
the most recent version of the Firepower Migration Tool.

1.1 • Bulk push for objects, NAT, static routes significantly reduces the time
that is taken to push the configuration to a Firepower Management Center.
• Extracting configuration from a production ASA
• Selective feature migration (shared policy and device-specific policy)
• Rule optimization
• Map migrating ASA Access Control Rules to a list of configured Intrusion
Prevention System and File Policies on the Firepower Management Center.
• Migrate only those objects that are referenced in policies. This optimizes
migration times and cleans out unused objects during configuration.
• Migration support for running-configor sh run from one of Data Contexts
of ASA running in multiple-context mode.
• Support on macOS version 10.13 and higher
• Support to modify logging actions (enable or disable, logging at beginning
or end) for migrated Access Control Rules.
• Migration to Firepower Threat Defense devices configured within domains
on the Firepower Management Center
• Bulk edits capability for object names.
• Telemetry support with Cisco Success Network

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
7
 About the Firepower Migration Tool
Licensing for the Firepower Migration Tool

Version Supported Features

1.0 • Validation throughout the migration, including parse and push operations.
• Object re-use capability
• Object conflict resolution
• Interface mapping
• Autocreation or reuse of interface objects (ASA name if to the security
zone and interface group mapping)
• Support for a bulk migration of ACLs

Licensing for the Firepower Migration Tool

The Firepower Migration Tool application is free and does not require license. However, the Firepower
Management Center must have the required licenses for the related Firepower Threat Defense features for
successfully registering the Firepower Threat Defense and deploying policies to it.

Cisco Success Network

Cisco Success Network is user-enabled cloud service. When you enable Cisco Success Network, a secure
connection is established between the Firepower Migration Tool and the Cisco cloud to stream usage
information and statistics. Streaming telemetry provides a mechanism to select data of interest from the
Firepower Migration Tool and to transmit it in structured format to remote management stations for the
following benefits:
• To inform you of available unused features that can improve the effectiveness of the product in your
network.
• To inform you of more technical support services and monitoring that is available for your product.
• To help Cisco improve our products.

The Firepower Migration Tool establishes and maintains the secure connection always, and allows you to
enroll in the Cisco Success Network. You can turn off this connection at any time by disabling Cisco Success
Network, which disconnects the device from the Cisco Success Network cloud.

Enabling and Disabling Cisco Success Network

You enable Cisco Success Network when you agree to share information with Cisco Success Network on the
Firepower Migration Tool's End User License Agreement page. For more information, see Launch the
Firepower Migration Tool, on page 25. For each migration, you can enable or disable Cisco Success Network
from the Settings button in the Firepower Migration Tool. For more information on specific telemetry data
shared with the Cisco Success Network, see Cisco Success Network-Telemetry Data, on page 53.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
8
 About the Firepower Migration Tool
Related Documentation

Related Documentation
This section summarizes the Firepower Migration Tool related documentation.
• Migrating Certificates from ASA to Firepower Threat Defense—Describes the procedure to migrate
Identity (ID) and Certificate Authority (CA) Certificates from Cisco ASA to a FTD device.
• Migrating ASA to Firepower Threat Defense Site-to-Site VPN Using IKEv1 with Certificates—Describes
the procedure to migrate site-to-site IKEv1 VPN tunnels, using certificates (rsa-sig) as a method of
authentication, from the existing Cisco ASA to FTD, managed by FMC.
• Migrating ASA to Firepower Threat Defense Site-to-Site VPN Using IKEv2 with Certificates—Describes
the procedure to migrate site-to-site IKEv2 VPN tunnels, using certificates (rsa-sig) as a method of
authentication, from the existing ASA to FTD, managed by FMC.
• Migrating ASA to Firepower Threat Defense Dynamic Crypto Map Based Site-to-Site Tunnel on
FTD—Describes the procedure to migrate a Dynamic Crypto Map based site-to-site VPN tunnels (with
IKEv1 or IKEv2), using pre-shared key and certificate as a method of authentication, from the existing
ASA to FTD, managed by FMC.
• Migrating ASA to Firepower Threat Defense Site-to-Site VPN Using IKEv1 with Pre-Shared Key
Authentication—Describes the procedure to migrate Site-to-Site IKEv1 VPN tunnels, using pre-shared
key (PSK) as a method of authentication, from the existing ASA to FTD, managed by FMC.
• Migrating ASA to Firepower Threat Defense Site-to-Site VPN Using IKEv2 with Pre-Shared Key
Authentication—Describes the procedure to migrate site-to-site IKEv2 VPN tunnels, using pre-shared
key (PSK) as a method of authentication, from the existing ASA to FTD, managed by FMC.
• Migrating ASA to Firepower Threat Defense Platform Settings—Describes the steps to migrate the
platform setting configuration of ASA to Firepower Threat Defense (FTD) devices.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
9
 About the Firepower Migration Tool
Related Documentation

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
10
 CHAPTER 2
Prepare for Migration
• Guidelines and Limitations for the Firepower Migration Tool, on page 11
• Guidelines and Limitations for ASA Configurations, on page 13
• Guidelines and Limitations for Firepower Threat Defense Devices, on page 18
• Supported Platforms for Migration, on page 19
• Supported Software Versions for Migration, on page 21
• Platform Requirements for the Firepower Migration Tool, on page 22

Guidelines and Limitations for the Firepower Migration Tool

Before you migrate a ASA configuration, consider the following guidelines and limitations for the ASA
configuration, the Firepower Threat Defense device, and the Firepower Migration Tool.

ASA Configuration
Your ASA configuration must meet the following requirements:
• The ASA configuration that is supported for migration, as described in Supported Platforms for Migration,
on page 19.
• The ASA version that is supported for migration, as described in Supported Software Versions for
Migration, on page 21.

(Optional) Target Firepower Threat Defense Device

When you migrate to a Firepower Management Center, it may or may not have a target Firepower Threat
Defense device added to it.
You can migrate shared policies to a Firepower Management Center for future deployment to a Firepower
Threat Defense device. To migrate device-specific policies to a Firepower Threat Defense, you must add it
to the Firepower Management Center.
• Your target Firepower Threat Defense device must meet the following requirements:
• The device meets the guidelines for hardware devices, as described in Guidelines and Limitations
for Firepower Threat Defense Devices, on page 18
• The device that is supported as a target for migration, as described in Supported Platforms for
Migration, on page 19.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
11
 Prepare for Migration
Guidelines and Limitations for the Firepower Migration Tool

• The Firepower Threat Defense software version that is supported for migration, as described in
Supported Software Versions for Migration, on page 21.
• The Firepower Threat Defense device that is registered with Firepower Management Center.

Firepower Management Center

• The Firepower Management Center software version that is supported for migration, as described in
Supported Software Versions for Migration, on page 21.
• You have obtained and installed smart licenses for Firepower Threat Defense that include all features
that you plan to migrate from the ASA interface, as described in the following:
• The Getting Started section of Cisco Smart Accounts on Cisco.com.
• Register the Firepower Management Center with the Cisco Smart Software Manager.
• Licensing the Firepower System

• You have enabled Firepower Management Center for REST API.

Tip On the Firepower Management Center web interface, navigate to. System >
Configuration > Rest API Preferences > Enable Rest API and check the
Enable Rest API check box.

• You have created a dedicated user with REST API privileges in Firepower Management Center for the
Firepower Migration Tool, as described in User Accounts for Management Access.

Firepower Migration Tool

• Ensure that the machine that you use to run the Firepower Migration Tool meets the requirements, as
described in Platform Requirements for the Firepower Migration Tool, on page 22.
• The Firepower Migration Tool allows you to configure the batch size for bulk push within the following
limits:

Configuration Items Batch Size Limit Default Value

Objects 500 50

ACL 1000 1000

NAT 1000 1000

Routes 1000 1000

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
12
 Prepare for Migration
Guidelines and Limitations for ASA Configurations

Note For Objects, the batch size cannot exceed 500. The Firepower Migration Tool
resets the value to 50 and proceeds with the bulk push.
For ACLs, Routes, and NAT Rules, the batch size cannot exceed 1000 each. The
Firepower Migration Tool resets the value to 1000 and proceeds with the bulk
push.

You can configure the batch size limit in the app_config file that is located in:
<migration_tool_folder>\app_config.txt.

Note Restart the application for the changes to apply.

• After you start to push the configuration from the Firepower Migration Tool, do not make any changes
or updates to configurations in Firepower Management Center until the migration is complete.

ASA with FirePOWER Services

You cannot use the Firepower Migration Tool to migrate the FirePOWER Services module configuration of
an ASA with FirePOWER Services module.

Guidelines and Limitations for ASA Configurations

During conversion, the Firepower Migration Tool creates a one-to-one mapping for all supported objects and
rules, whether they are used in a rule or policy. The Firepower Migration Tool provides an optimization
feature, that allows you to exclude migration of unused objects (objects that are not referenced in any ACLs
and NATs).
The Firepower Migration Tool deals with unsupported objects and rules as follows:
• Unsupported objects, NAT rules, and routes are not migrated.
• Unsupported ACL rules are migrated as disabled rules into the Firepower Management Center.
• Outbound ACLs are unsupported and will not be migrated to FMC. If the source firewall has outbound
ACLs, it will be reported in the ignored section of the Pre-Migration Report.

ASA Configuration File

You can obtain an ASA configuration file either manually or by connecting to a live ASA from the Firepower
Migration Tool.
The ASA configuration file that you manually import into the Firepower Migration Tool must meet the
following requirements:
• Has a running configuration that is exported from an ASA device in a single mode configuration or
specific context of a multiple context mode configuration. See Export the ASA Configuration File, on
page 24.
• Includes the version number.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
13
 Prepare for Migration
Guidelines and Limitations for ASA Configurations

• Contains only valid ASA CLI configurations.

• Does not contain syntax errors.
• Has a file extension of .cfg or .txt.
• Uses a file encoding of UTF-8.
• Has not been hand coded or manually altered. If you modify the ASA configuration, we recommend that
you test the modified configuration file on the ASA device to ensure that it is a valid configuration.
• Does not contain the "--More--" keyword as text.

ASA Configuration Limitations

Migration of your source ASA configuration has the following limitations:
• The Firepower Migration Tool supports migrating individual security contexts from the ASA as separate
Firepower Threat Defense devices.
• The system configuration is not migrated.
• The Firepower Migration Tool does not support migration of a single ACL policy that is applied to over
50 interfaces. Manually migrate ACL policies that are applied to 50 or more interfaces.
• You cannot migrate some ASA configurations, such as Dynamic Routing and VPN, to Firepower Threat
Defense. Migrate these configurations manually.
• You cannot migrate ASA devices in routed mode with a bridge virtual interface (BVI), redundant interface,
or tunneled interface. However, you can migrate ASA devices in transparent mode with BVI.
• Nested service object-groups or port group are not supported on the Firepower Management Center. As
part of conversion, the Firepower Migration Tool expands the content of the referenced nested object-group
or port group.
• The Firepower Migration Tool splits the extended service object or groups with source and destination
ports that are in one line into different objects across multiple lines. References to such access control
rules are converted into Firepower Management Center rules with the exact same meaning.
• If the source ASA configuration has access control rules that do not refer to specific tunneling protocols
(like GRE, IP-in-IP and IPv6-in-IP), but these rules match unencrypted tunnel traffic on the ASA, then,
on migration to the Firepower Threat Defense, the corresponding rules will not behave in the same way
they do on the ASA. We recommend that you create specific tunnel rules for these in the Prefilter policy,
on the Firepower Threat Defense.

ASA Migration Guidelines

The Firepower Migration Tool uses best practices for Firepower Threat Defense configurations, including
the following:
• The migration of the ACL log option follows the best practices for Firepower Threat Defense. The log
option for a rule is enabled or disabled based on the source ASA configuration. For rules with an action
of deny, the Firepower Migration Tool configures logging at the beginning of the connection. If the
action is permit, the Firepower Migration Tool configures logging at the end of the connection.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
14
Prepare for Migration
Guidelines and Limitations for ASA Configurations

Supported ASA Configurations

The Firepower Migration Tool can fully migrate the following ASA configurations:
• Network objects and groups (except discontiguous masks)
• Service objects, except for those service objects configured for a source and destination

Note Though the Firepower Migration Tool does not migrate extended service objects
(configured for a source and destination), referenced ACL and NAT rules are
migrated with full functionality.

• Service object groups, except for nested service object groups

Note Since nesting is not supported on the Firepower Management Center, the
Firepower Migration Tool expands the content of the referenced rules. The rules
however, are migrated with full functionality.

• IPv4 and IPv6 FQDN objects and groups

• IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)
• Access rules that are applied to interfaces in the inbound direction and global ACL
• Auto NAT, Manual NAT, and object NAT (conditional)
• Static routes, ECMP routes which are not migrated
• Physical interfaces
• Secondary VLANs on ASA interfaces will not migrate to FTD.
• Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)
• Port channels
• Bridge groups (transparent mode only)
• IP SLA Monitor
The Firepower Migration Tool creates IP SLA Objects, maps the objects with the specific static routes,
and migrates the objects to FMC.
IP SLA monitor defines a connectivity policy to a monitored IP address and tracks the availability of a
route to the IP address. The static routes are periodically checked for availability by sending ICMP echo
requests and waiting for the response. If the echo requests are timed-out, the static routes are removed
from the routing table and replaced with a backup route. SLA monitoring jobs start immediately after
deployment and continue to run unless, you remove the SLA monitor from the device configuration, that
is, they do not ageout. The IP SLA monitor objects are used in the Route Tracking field of an IPv4 static
route policy. IPv6 routes do not have the option to use SLA monitor through route tracking.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
15
 Prepare for Migration
Guidelines and Limitations for ASA Configurations

Note IP SLA Monitor is not supported for non-FTD flow.

• Object Group Search

Enabling object group search reduces memory requirements for access control policies that include
network objects. We recommend you to enable object group search that enhances optimal memory
utilization by access policy on FTD.

Note • Object Group Search is unavailable for FMC or FTD version earlier than
6.6.
• Object Group Search will not be supported for non-FTD flow and will be
disabled.

• Time-based objects
When the Firepower Migration Tool detects Time-based objects that are referenced with access-rules,
the Firepower Migration Tool migrates the Time-based objects and maps them with respective access-rules.
Verify the objects against the rules in the Review and Validate Configuration page.
Time-based objects are access-list types that allow network access on the basis of time period. It is useful
when you must place restrictions on outbound or inbound traffic on the basis of a particular time of the
day or particular days of a week.

Note • You must manually migrate timezone configuration from source ASA to
target FTD.
• Time-based object is not supported for non-FTD flow and will be disabled.
• Time-based objects are supported on FMC version 6.6 and above.

Partially Supported ASA Configurations

The Firepower Migration Tool partially supports the following ASA configurations for migration. Some of
these configurations include rules with advanced options that are migrated without those options. If Firepower
Management Center supports those advanced options, you can configure them manually after the migration
is complete.
• Access control policy rules that are configured with advanced logging settings, such as severity and
time-interval.
• Static routes that are configured with the track option.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
16
 Prepare for Migration
Objects in ASA and Firepower Threat Defense

Unsupported ASA Configurations

The Firepower Migration Tool does not support the following ASA configurations for migration. If these
configurations are supported in Firepower Management Center, you can configure them manually after the
migration is complete.
• SGT-based access control policy rules
• SGT-based objects
• User-based access control policy rules
• NAT rules that are configured with the block allocation option
• Objects with an unsupported ICMP type and code
• Tunneling protocol-based access control policy rules

Note Support with a prefilter on Firepower Migration Tool 2.0 and FMC 6.5.

• NAT rules that are configured with SCTP

• NAT rules that are configured with host ‘0.0.0.0’
• Default route obtained through DHCP or PPPoE with SLA tracking
• SLA monitor schedule

Objects in ASA and Firepower Threat Defense

An ASA configuration file contains the following objects that you can migrate to Firepower Threat Defense:
• Network objects
• Service objects, which are called port objects in Firepower Threat Defense
• IP SLA objects
• Time-based objects

ASA and Firepower Threat Defense have different configuration guidelines for objects. For example, one or
more objects can have the same name in ASA with one object name in lowercase and the other object name
in uppercase, but each object must have a unique name, regardless of case, in Firepower Threat Defense. To
accommodate such differences, the Firepower Migration Tool analyzes all ASA objects and handles their
migration in one of the following ways:
• Each ASA object has a unique name and configuration—The Firepower Migration Tool migrates the
objects successfully without changes.
• The name of an ASA object includes one or more special characters that are not supported by Firepower
Management Center—The Firepower Migration Tool renames the special characters in the object name
with a "_" character to meet the Firepower Management Center object naming criteria.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
17
 Prepare for Migration
Guidelines and Limitations for Firepower Threat Defense Devices

• An ASA object has the same name and configuration as an existing object in Firepower Management
Center—The Firepower Migration Tool reuses the Firepower Management Center object for the Firepower
Threat Defense configuration and does not migrate the ASA object.
• An ASA object has the same name but a different configuration than an existing object in Firepower
Management Center—The Firepower Migration Tool reports object conflict and allows you to resolve
the conflict by adding a unique suffix to the name of the ASA object for migration purposes.
• Multiple ASA objects have the same name but in different cases—The Firepower Migration Tool renames
such objects to meet the Firepower Threat Defense object naming criteria

Guidelines and Limitations for Firepower Threat Defense

Devices
As you plan to migrate your ASA configuration to Firepower Threat Defense, consider the following guidelines
and limitations:
• If there are any existing device-specific configurations on the FTD such as routes, interfaces, and so on,
during the push migration, the Firepower Migration Tool cleans the device automatically and overwrites
from the ASA configuration.

Note To prevent any undesirable loss of device (target FTD) configuration data, we
recommend you to manually clean the device before migration.

During migration, the Firepower Migration Tool resets the interface configuration. If you use these
interfaces in policies, the Firepower Migration Tool cannot reset them and the migration fails.
• The Firepower Threat Defense device can be a standalone device or a container instance. It must not be
part of a cluster or a high availability configuration.
• The target native Firepower Threat Defense device must have at least an equal number of used
physical data and port channel interfaces (excluding ‘management-only’ and subinterfaces) as that
of the ASA ; if not you must add the required type of interface on the target Firepower Threat
Defense device. Subinterfaces are created by the Firepower Migration Tool that are based on physical
or port channel mapping.
• If the target Firepower Threat Defense device is a container instance, at minimum it must have an
equal number of used physical interfaces, physical subinterfaces, port channel interfaces, and port
channel subinterfaces (excluding ‘management-only’) as that of the ASA ; if not you must add the
required type of interface on the target Firepower Threat Defense device.
• Subinterfaces are not created by the Firepower Migration Tool, only interface mapping is
allowed.
• Mapping across different interface types is allowed, for example: physical interface can be
mapped to a port channel interface.

• The Firepower Migration Tool can create subinterfaces and Bridge-Group Virtual Interfaces (transparent
mode) on the native instance of the Firepower Threat Defense device that is based on the ASA

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
18
 Prepare for Migration
Supported Platforms for Migration

configuration. Manually create interfaces and port channel interfaces on the target Firepower Threat
Defense device before starting migration. For example, if your ASA configuration is assigned with the
following interfaces and port channels, you must create them on the target Firepower Threat Defense
device before the migration:
• Five physical interfaces
• Five port channels
• Two management-only interfaces

Note For container instances of Firepower Threat Defense devices, subinterfaces are
not created by the Firepower Migration Tool, only interface mapping is allowed.

Supported Platforms for Migration

The following ASA and Firepower Threat Defense platforms are supported for migration with the Firepower
Migration Tool. For more information about the supported Firepower Threat Defense platforms, see Cisco
Firepower Compatibility Guide.

Note The Firepower Migration Tool supports migration of standalone ASA devices to a standalone Firepower
Threat Defense device only.

Supported Source ASA Platforms

You can use the Firepower Migration Tool to migrate the configuration from the following single/ multi-context
ASA platforms:
• ASA 5510
• ASA 5520
• ASA 5540
• ASA 5550
• ASA 5580
• ASA 5506
• ASA 5506W-X
• ASA 5506H-X
• ASA 5508-X
• ASA 5512-X
• ASA 5515-X
• ASA 5516-X

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
19
 Prepare for Migration
Supported Platforms for Migration

• ASA 5525-X
• ASA 5545-X
• ASA 5555-X
• ASA 5585-X with ASA only (the Firepower Migration Tool does not migrate the configuration from
the) ASA FirePOWER module
• Firepower 1000 Series
• Firepower 2100 Series
• Firepower 4100 Series
• Firepower 9300 Series
• SM-24
• SM-36
• SM-40
• SM-44
• SM-48
• SM-56

• ASAv on VMware, deployed using VMware ESXi, VMware vSphere Web Client, or vSphere standalone
client

Supported Target Firepower Threat Defense Platforms

You can use the Firepower Migration Tool to migrate a source ASA configuration to the following standalone
or container instance of the Firepower Threat Defense platforms:
• ASA 5506
• ASA 5506W-X
• ASA 5506H-X
• ASA 5508-X
• ASA 5512-X
• ASA 5515-X
• ASA 5516-X
• ASA 5525-X
• ASA 5545-X
• ASA 5555-X

• Firepower 1000 Series

• Firepower 2100 Series

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
20
 Prepare for Migration
Supported Software Versions for Migration

• Firepower 4100 Series

• Firepower 9300 Series that includes:
• SM-24
• SM-36
• SM-40
• SM-44
• SM-48
• SM-56

• Firepower Threat Defense Virtual on VMware, deployed using VMware ESXi, VMware vSphere Web
Client, or vSphere standalone client

Supported Software Versions for Migration

The following are the supported ASA and Firepower Threat Defense versions for migration:

Supported ASA Versions

The Firepower Migration Tool supports migration from a device that is running ASA software version 8.4
and later.

Supported Firepower Management Center Versions for source ASA Configuration

For ASA, the Firepower Migration Tool supports migration to a Firepower Threat Defense device managed
by a Firepower Management Center that is running version 6.2.3 or 6.2.3+.

Note Some features are supported only in the later versions of FMC and FTD.

Note For optimum migration times, We recommend that you upgrade Firepower Management Center to the suggested
release version provided here: software.cisco.com/downloads.

Supported Firepower Threat Defense Versions

The Firepower Migration Tool recommends migration to a device that is running Firepower Threat Defense,
version 6.2.3 and later.
For detailed information about the Cisco Firepower software and hardware compatibility, including operating
system and hosting environment requirements, for Firepower Threat Defense, see the Cisco Firepower
Compatibility Guide.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
21
 Prepare for Migration
Platform Requirements for the Firepower Migration Tool

Platform Requirements for the Firepower Migration Tool

The Firepower Migration Tool has the following infrastructure and platform requirements:
• Runs on a Windows 10 64-bit operating system or on a macOS version 10.13 or higher
• Has Google Chrome as the system default browser
• (Windows) Has Sleep settings configured in Power & Sleep to Never put the PC to Sleep, so the system
does not go to sleep during a large migration push
• (macOS) Has Energy Saver settings configured so that the computer and the hard disk do not go to sleep
during a large migration push

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
22
 CHAPTER 3
Run the Firepower Migration Tool
• Download the Firepower Migration Tool from Cisco.com, on page 23
• Obtain the ASA Configuration File, on page 24
• Export the ASA Configuration File, on page 24
• Launch the Firepower Migration Tool, on page 25
• Upload the ASA Configuration File, on page 27
• Connect to the ASA from the Firepower Migration Tool, on page 27
• Specify Destination Parameters for the Firepower Migration Tool, on page 29
• Review the Pre-Migration Report, on page 33
• Map ASA Configurations with Firepower Threat Defense Interfaces, on page 34
• Map ASA Interfaces to Security Zones and Interface Groups, on page 35
• Review and Validate the Configuration to be Migrated, on page 37
• Push the Migrated Configuration to Firepower Management Center, on page 40
• Review the Post-Migration Report and Complete the Migration, on page 41
• Uninstall the Firepower Migration Tool, on page 44

Download the Firepower Migration Tool from Cisco.com

Before you begin
You must have a Windows 10 64-bit or macOS version 10.13 or higher machine with an internet connectivity
to Cisco.com.

Procedure

Step 1 On your computer, create a folder for the Firepower Migration Tool.
We recommend that you do not store any other files in this folder. When you launch the Firepower Migration
Tool, it places the logs, resources, and all other files in this folder.
Note Whenever you download the latest version of the Firepower Migration Tool, ensure, you create a
new folder and not use the existing folder.

Step 2 Browse to https://software.cisco.com/download/home/286306503/type and click Firepower Migration Tool.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
23
 Run the Firepower Migration Tool
Obtain the ASA Configuration File

The above link takes you to the Firepower Migration Tool under Firepower NGFW Virtual. You can also
download the Firepower Migration Tool from the Firepower Threat Defense device download areas.

Step 3 Download the most recent version of the Firepower Migration Tool into the folder that you created.
Download the appropriate executable of the Firepower Migration Tool for Windows or macOS machines.

What to do next
Obtain the ASA Configuration File

Obtain the ASA Configuration File

You can use one of the following methods to obtain an ASA configuration file:
• Export the ASA Configuration File, on page 24
• Connect to the ASA from the Firepower Migration Tool, on page 27

Export the ASA Configuration File

This task is required only if you want to manually upload an ASA configuration file. If you want to connect
to an ASA from the Firepower Migration Tool, skip to Connect to the ASA from the Firepower Migration
Tool, on page 27.

Note Do not hand code or make changes to the ASA configuration after you export the file. These changes will not
be migrated to Firepower Threat Defense, and they create errors in the migration or cause the migration to
fail. For example, opening and saving the configuration file in terminal can add white space or blank lines
that the Firepower Migration Tool cannot parse.
Ensure that the exported ASA configuration file does not contain the "--More--" keyword as text, as this can
cause the migration to fail.

Procedure

Step 1 Use the show running-config command for the ASA device or context that you are migrating and copy the
configuration from there. See View the Running Configuration.
Alternately, use Adaptive Security Device Manager (ASDM) for the ASA device or context that you want to
migrate and choose File > Show Running Configuration in New Window to obtain the configuration file.
Note For a multi-context ASA, you can use the show tech-support command to obtain the configuration
for all the contexts in a single file.

Step 2 Save the configuration as either .cfg or .txt.

You cannot upload the ASA configuration to the Firepower Migration Tool if it has a different extension.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
24
 Run the Firepower Migration Tool
Launch the Firepower Migration Tool

Step 3 Transfer the ASA configuration file to your computer where you downloaded the Firepower Migration Tool.

What to do next
Launch the Firepower Migration Tool, on page 25

Launch the Firepower Migration Tool

Note When you launch the Firepower Migration Tool a console opens in a separate window. As you go through
the migration, the console displays the progress of the current step in the Firepower Migration Tool. If you
do not see the console on your screen, it is most likely to be behind the Firepower Migration Tool.

Before you begin

• Download the Firepower Migration Tool from Cisco.com
• Review and verify the requirements in the Guidelines and Limitations for the Firepower Migration Tool,
on page 11 section.
• Ensure that your computer has a recent version of the Google Chrome browser to run the Firepower
Migration Tool. For information on how to set Google Chrome as your default browser, see Set Chrome
as your default web browser.
• If you are planning to migrate a large configuration file, configure sleep settings so the system doesn’t
go to sleep during a migration push.

Procedure

Step 1 On your computer, navigate to the folder where you downloaded the Firepower Migration Tool.
Step 2 Do one of the following:
• On your Windows machine, double-click the Firepower Migration Tool executable to launch it in a
Google Chrome browser.
If prompted, click Yes to allow the Firepower Migration Tool to make changes to your system.
The Firepower Migration Tool creates and stores all related files in the folder where it resides, including
the log and resources folders.
• On your Mac move, the Firepower Migration Tool *.command file to the desired folder, launch the
Terminal application, browse to the folder where the Firepower Migration Tool is installed and run the
following commands:
# chmod 750 Firepower_Migration_Tool-version_number.command

# ./Firepower_Migration_Tool-version_number.command

The Firepower Migration Tool creates and stores all related files in the folder where it resides, including
the log and resources folders.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
25
 Run the Firepower Migration Tool
Launch the Firepower Migration Tool

Tip When you try to open the Firepower Migration Tool, you get a warning dialog because the
Firepower Migration Tool is not registered with Apple by an identified developer. For
information on opening an application from an unidentified developer, see Open an app from
an unidentified developer.
Note Use MAC terminal zip method.

Step 3 On the End User License Agreement page, click I agree to share data with Cisco Success Network if you
want to share telemetry information with Cisco, else click I'll do later.
When you agree to send statistics to Cisco Success Network, you are prompted to log in using your Cisco.com
account. Local credentials are used to log in to the Firepower Migration Tool if you choose not to send statistics
to Cisco Success Network.

Step 4 On the Firepower Migration Tool's login page, do one of the following:
• To share statistics with Cisco Success Network, click the Login with CCO link to log in to your Cisco.com
account using your single-sign on credentials.
Note If you do not have a Cisco.com account, create it on the Cisco.com login page.
• Log in with the following default credentials:
• Username—admin
• Password—Admin123

Proceed to step 8, if you have used your Cisco.com account to log in.

Step 5 On the Reset Password page, enter the old password, your new password, and confirm the new password.
The new password must have 8 characters or more and must include upper and lowercase letters, numbers,
and special characters.

Step 6 Click Reset.

Step 7 Log in with the new password.
Note If you have forgotten the password, delete all the existing data from the <migration_tool_folder>
and reinstall the Firepower Migration Tool.

Step 8 Review the pre-migration checklist and make sure you have completed all the items listed.
If you have not completed one or more of the items in the checklist, do not continue until you have done so.

Step 9 Click New Migration.

Step 10 On the Software Update Check screen, if you are not sure you are running the most recent version of the
Firepower Migration Tool, click the link to verify the version on Cisco.com.
Step 11 Click Proceed.

What to do next
You can proceed to the following step:

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
26
 Run the Firepower Migration Tool
Upload the ASA Configuration File

• If you have exported ASA configuration to your computer, proceed to Upload the ASA Configuration
File, on page 27.
• If you want to extract information from an ASA using the Firepower Migration Tool, proceed to Connect
to the ASA from the Firepower Migration Tool, on page 27

Upload the ASA Configuration File

Before you begin
Export the configuration file as .cfg or .txt from the source ASA device.

Note Do not upload a hand coded or manually altered configuration file. Text editors add blank lines and other
issues to the file that can cause the migration to fail.

Procedure

Step 1 On the Extract ASA Information screen, in the Manual Upload section, click Upload, to upload an ASA
configuration file.
Step 2 Browse to where the configuration file is located, and click Open.
The Firepower Migration Tool uploads the configuration file. For large configuration files, this step takes a
longer time. The console provides a line by line log view of the progress, including the ASA configuration
line that is being parsed. If you do not see the console, you can find it in a separate window behind the
Firepower Migration Tool. The Context Selection section identifies if the uploaded configuration corresponds
to the multi context ASA .

Step 3 Review the Context Selection section and select the ASA context that you want to migrate.
Step 4 Click Start Parsing.
The Parsed Summary section displays the parsing status.

Step 5 Review the summary of the elements that the Firepower Migration Tool detected and parsed in the uploaded
configuration file.
Step 6 Click Next, to select the target parameters.

What to do next
Specify Destination Parameters for the Firepower Migration Tool, on page 29

Connect to the ASA from the Firepower Migration Tool

The Firepower Migration Tool can connect to an ASA device that you want to migrate and extract the required
configuration information.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
27
 Run the Firepower Migration Tool
Connect to the ASA from the Firepower Migration Tool

Before you begin

• Download and launch the Firepower Migration Tool.
• For single context ASA, obtain the management IP address, administrator credentials, and the enable
password.
• For multiple context mode ASA, obtain the IP address of the admin context, administrator credentials,
and the enable password.

Note If ASA is not configured with Enable Password, you can leave the field blank
on the Firepower Migration Tool.

Procedure

Step 1 On the Extract ASA Information screen, in the Connect to ASA section, click Connect to connect to the
ASA device that you want to migrate.
Step 2 On the ASA Login screen, enter the following information:
a. In the ASA IP Address/ Hostname field, enter the management IP address or hostname (for single context
ASA) or IP address of the admin context or hostname (for a multi-context ASA).
b. In the Username , Password, and Enable Password fields enter the appropriate administrator login
credentials.
Note If ASA is not configured with an Enable password, you can leave the field blank on the
Firepower Migration Tool.
c. Click Login.

When the Firepower Migration Tool connects to the ASA, it displays a successfully connected to the ASA
message. For a multi-context ASA, the Firepower Migration Tool identifies and lists the contexts.

Step 3 Select the ASA context that you want to migrate from the Context drop-down list.
Step 4 (Optional) Select Collect Hitcounts.
When checked, this tool computes the number of times an ASA rule was used and the last time the rule was
used since ASA uptime or last ASA restart and displays this information on the Review and Validate page.
This allows you to evaluate the efficacy and relevance of the rule before migration.

Step 5 Click Start Extraction.

The Firepower Migration Tool connects to the ASA and starts extracting configuration information. When
the extraction completes successfully, the Context Selection section identifies if the uploaded configuration
corresponds to a single-context or multi-context ASA.

Step 6 Review the Context Selection section and select the ASA context that you want to migrate.
Step 7 Click Start Parsing.
The Parsed Summary section displays the parsing status. The Firepower Migration Tool parses the
configuration file and disconnects from the ASA.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
28
 Run the Firepower Migration Tool
Specify Destination Parameters for the Firepower Migration Tool

Step 8 Review the summary of the elements that the Firepower Migration Tool detected and parsed, in the uploaded
configuration file.
Step 9 Click Next, to select the target parameters.

What to do next
Specify Destination Parameters for the Firepower Migration Tool, on page 29

Specify Destination Parameters for the Firepower Migration

Tool
Before you begin
• Obtain the IP address for the Firepower Management Center
• Create a dedicated account for the Firepower Migration Tool in the Firepower Management Center with
sufficient privileges to access the REST API, as described in User Accounts for Management Access
• (Optional) Add the target Firepower Threat Defense device to the Firepower Management Center, if you
want to migrate device-specific configurations like interfaces and routes. See Adding Devices to the
Firepower Management Center
• If it requires you to apply IPS or file policy to ACL in the Review and Validate page, we highly
recommend you to create a policy on the FMC before migration. Use the same policy, as the Firepower
Migration Tool fetches the policy from the connected FMC. Creating a new policy and assigning it to
multiple Access control lists may degrade the performance and may also result in a push failure.

Procedure

Step 1 On the Select Target screen, in the Connect to Firepower Management Center section, enter the IP address
or Fully-Qualified Domain Name (FQDN) for the Firepower Management Center.
Step 2 In the Domain drop-down list, select the domain to which you are migrating.
If you want to migrate to a Firepower Threat Defense device, you can only migrate to the Firepower Threat
Defense devices available in the selected domain.

Step 3 Click Connect.

Step 4 In the Firepower Management Center Login dialog box, enter the username and password of the dedicated
account for the Firepower Migration Tool, and click Login.
The Firepower Migration Tool logs in to Firepower Management Center and retrieves a list of Firepower
Threat Defense devices that are managed by that Firepower Management Center. You can view the progress
of this step in the console.

Step 5 Click Proceed.

In the Choose FTD section, you can either select a Firepower Threat Defense device that you want to migrate
to, or if you do not have a Firepower Threat Defense device, you can migrate the shared policies (Access
Control Lists, NAT, and Objects) of the ASA configuration to the Firepower Management Center.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
29
 Run the Firepower Migration Tool
Specify Destination Parameters for the Firepower Migration Tool

Step 6 In the Choose FTD section, do one of the following:

• Click the Select Firepower Threat Defense Device drop-down list and check the device where you
want to migrate the ASA configuration.
The devices in the selected Firepower Management Center domain are listed by IP Address and Name.
Note At minimum, the native Firepower Threat Defense device you choose must have the same
number of physical or port channel interfaces as the ASA configuration that you are migrating.
At minimum, the container instance of the Firepower Threat Defense device, should have the
same number of physical or port channel interfaces and subinterfaces. You must configure the
device with the same firewall mode as the ASA configuration. However, these interfaces do
not have to have the same names on both devices.
• For ASA 5505, the device-specific configs (Interface and routes) and shared policies (NAT, ACLs, and
Objects) can be migrated only when the supported Target FTD platform is Firepower 1010 with Firepower
Management Center (FMC) version 6.5 or later.
Note If the target FTD is not FPR-1010 or the target Firepower Management Center (FMC) is earlier
than 6.5, ASA 5505 migration support is applicable for shared policies only. Device specifics
will not be migrated.
Note You can select only FPR-1010 from the Select Device drop-down list as the source config is
ASA 5505.
Note ASA-SM migration support is for shared policies only. Device specifics will not be migrated.
• Click Proceed without FTD to migrate the configuration to the Firepower Management Center.
When you proceed without FTD, the Firepower Migration Tool will not push any configurations or the
policies to an FTD. Thus, interfaces and routes, which are Firepower Threat Defense device-specific
configurations, will not be migrated. However, all the other supported configurations (shared policies
and objects) such as NAT, ACLs, and port objects will be migrated.

Step 7 Click Proceed.

Depending on the destination that you are migrating to, the Firepower Migration Tool allows you to select
the features that you want to migrate.

Step 8 Click the Select Features section to review and select the features that you want to migrate to the destination.
• If you are migrating to a destination Firepower Threat Defense device, the Firepower Migration Tool
automatically selects the features available for migration from the ASA configuration in the Device
Configuration and Shared Configuration sections. You can further modify the default selection,
according to your requirements.
• If you are migrating to a Firepower Management Center, the Firepower Migration Tool automatically
selects the features available for migration from the ASA configuration in the Shared Configuration
section. You can further modify the default selection, according to your requirements.
Note The Device Configuration section is not available when you have not selected a destination
Firepower Threat Defense device to migrate to.
• The Firepower Migration Tool supports the following for access control during migration:
• Populate Destination Security Zones—Enables mapping of destination zones for the ACL during
migration.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
30
Run the Firepower Migration Tool
Specify Destination Parameters for the Firepower Migration Tool

Route-lookup logic is limited to Static Routes and Connected Routes, and PBR, Dynamic Routes,
and NAT are not considered. Interface network configuration is used to derive the connected route
information.
Based on the nature of Source and Destination network object-groups, this operation may result in
rule explosion.
• Migrate Tunneled rules as Prefilter—Mapping of ASA encapsulated tunnel protocol rule to Prefilter
tunnel rules has the following advantages:
• Tailor Deep Inspection—For encapsulated traffic and to improve performance with fastpathing.
• Improve Performance—You can fastpath or block any other connections that benefit from
early handling.

The Firepower Migration Tool identifies the encapsulated tunnel traffic rules in source configuration
and migrates them as Prefilter tunnel rules. You can verify the migrated tunnel rule under the Prefilter
policy. The Prefilter policy is associated with the migrated access control policy on FMC.
The protocols which are migrated as Prefilter tunnel rules are following:
• GRE (47)
• IPv4 encapsulation (4)
• IPv6 encapsulation (41)
• Teredo Tunneling (UDP:3544)

Note If you do not opt to select the prefilter option, all the tunneled traffic rules will be migrated
as unsupported rules.

• (Optional) In the Optimization section, select Migrate only referenced objects to migrate only those
objects that are referenced in an access control policy and a NAT policy.
Note When you select this option, unreferenced objects in the ASA configuration will not be migrated.
This optimizes migration time and cleans out unused objects from the configuration.
• (Optional) In the Optimization section, select Object group search for optimal memory utilization by
access policy on FTD.
• (Optional) In the Inline Grouping section, the Firepower Migration Tool allows you to clear the access
rules of the pre-defined network and service object names that start with CSM or DM. If you uncheck
this option, the pre-defined object names will be retained during migration. For more information, see
Inline Grouping.
Note By default, the option of Inline Grouping is enabled.

Step 9 Click Proceed.

Step 10 In the Rule Conversion/ Process Config section, click Start Conversion to initiate the conversion.
Step 11 Review the summary of the elements that the Firepower Migration Tool converted.
To check whether your configuration file is successfully uploaded and parsed, download and verify the
Pre-Migration Report before you continue with the migration.

Step 12 Click Download Report, and save the Pre-Migration Report.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
31
 Run the Firepower Migration Tool
Inline Grouping

A copy of the Pre-Migration Report is also saved in the Resources folder in the same location as the
Firepower Migration Tool.

What to do next
Review the Pre-Migration Report, on page 33

Inline Grouping
Object Grouping by ASDM and CSM Managed ASA
When you enter more than one item (object or inline values) in the source or destination address, or source
or destination service, CSM or ASDM automatically creates an object group. The naming conventions for
these object groups that are used by CSM and ASDM are CSM_INLINE and DM_INLINE respectively while
deploying the configuration on to respective ASA device.

Note To change the behavior of the object grouping from Tools > Preferences, choose Auto-expand network
and service objects with specified prefix rule table preference.

The following is the configuration snippet extracted using the show run command on ASA managed by
ASDM.
object network host1
host 10.1.1.100
object network fqdn_obj1
fqdn abc.cisco.com
object-group network DM_INLINE_NETWORK_1
network-object 10.21.44.189 255.255.255.255
network-object 10.21.44.190 255.255.255.255
object-group network DM_INLINE_NETWORK_2
network-object 10.21.44.191 255.255.255.255
network-object object host1
network-object object fqdn_obj1

access-list CSM_DM_ACL extended permit tcp object-group DM_INLINE_NETWORK_1 object-group

DM_INLINE_NETWORK_2

In the above example, access-list CSM_DM_ACL on ASDM UI does not show DM_INLINE group as rule’s
Source and Destination network instead displays contents of DM_INLINE group.

Inline Grouping—ASDM/CSM
The Inline Grouping functionality of the Firepower Migration Tool allows you to parse show
running-configuration of ASDM or CSM managed ASA devices. It provides an option to preserve the same
UI representation of the access-list rules as on ASDM or CSM. If opted out, migrated rules will refer to
DM_INLINE groups as recorded in ASA show running-configuration.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
32
 Run the Firepower Migration Tool
Review the Pre-Migration Report

Note The source ASA configuration file input to the Firepower Migration Tool would still be show run or show
tech collected from ASA or via live connection to ASA device (SSH). The Firepower Migration Tool does
not support any other form of configuration files or methods.

The following figures show how the Source and Destination Network fields of ACE or RULE change based
on the enabling or disabling the inline grouping option respectively.
Figure 1: With Inline Grouping—ASDM/CSM Enabled

Figure 2: With Inline Grouping—ASDM/CSM Disabled

Review the Pre-Migration Report

Procedure

Step 1 Navigate to where you downloaded the Pre-Migration Report.

Copy of the Pre-Migration Report is also saved in the Resources folder in the same location as the
Firepower Migration Tool.

Step 2 Open the Pre-Migration Report and carefully review its contents to identify any issues that can cause the
migration to fail.
The Pre-Migration Report includes the following information:
• Overall Summary—The method used to extract the ASA configuration information or connecting to a
live ASA configuration.
If connecting to a live ASA, the firewall mode detected on the ASA , and for multiple context mode, the
context you chose for migration.
A summary of the supported ASA configuration elements that can be successfully migrated to Firepower
Threat Defense and specific ASA features selected for migration.
While connecting to a live ASA, the summary includes the hit count information- the number of times
an ASA rule was encountered and its time-stamp information.
• Configuration Lines with Errors—Details of ASA configuration elements that cannot be successfully
migrated because the Firepower Migration Tool could not parse them. Correct these errors on the ASA
configuration, export a new configuration file, and then upload the new configuration file to the Firepower
Migration Tool before proceeding.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
33
 Run the Firepower Migration Tool
Map ASA Configurations with Firepower Threat Defense Interfaces

• Partially Supported Configuration—Details of ASA configuration elements that can be only partially
migrated. These configuration elements include rules and objects with advanced options where the rule
or the object can be migrated without the advanced options. Review these lines, verify whether the
advanced options are supported in Firepower Management Center, and if so, plan to configure those
options manually after you complete the migration with the Firepower Migration Tool.
• Unsupported Configuration—Details of ASA configuration elements that cannot be migrated because
the Firepower Migration Tool does not support migration of those features. Review these lines, verify
whether each feature is supported in Firepower Management Center, and if so, plan to configure the
features manually after you complete the migration with the Firepower Migration Tool.
• Ignored Configuration—Details of ASA configuration elements that are ignored because they are not
supported by the Firepower Management Center or the Firepower Migration Tool. The Firepower
Migration Tool does not parse these lines. Review these lines, verify whether each feature is supported
in Firepower Management Center, and if so, plan to configure the features manually.

For more information about supported features in Firepower Management Center and Firepower Threat
Defense, see Firepower Management Center Configuration Guide.

Step 3 If the Pre-Migration Report recommends corrective actions, complete those corrections on the ASA interface
, export the ASA configuration file again, and upload the updated configuration file before proceeding.
Step 4 After your ASA configuration file is successfully uploaded and parsed, return to the Firepower Migration
Tool and click Next to continue the migration.

What to do next
Map ASA Configurations with Firepower Threat Defense Interfaces

Map ASA Configurations with Firepower Threat Defense

Interfaces
The Firepower Threat Defense device must have an equal or greater number of physical and port channel
interfaces than those used by the ASA configuration. These interfaces do not have to have the same names
on both devices. You can choose how you want to map the interfaces.
On the Map FTD Interface screen, the Firepower Migration Tool retrieves a list of the interfaces on the
Firepower Threat Defense device. By default, the Firepower Migration Tool maps the interfaces in ASA and
the Firepower Threat Defense device according to their interface identities. For example, the 'management-only'
interface on the ASA interface is automatically mapped to the 'management-only' interface on the Firepower
Threat Defense device and is unchangeable.
The mapping of ASA interface to the FTD interface differs based on the FTD device type:
• If the target FTD is of native type:
• The FTD must have equal or more number of the used ASA interfaces or port channel (PC) data
interfaces (excluding management-only and subinterfaces in the ASA configuration). If the number
is less, add the required type of interface on the target FTD.
• Subinterfaces are created by the Firepower Migration Tool based on physical interface or port
channel mapping.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
34
 Run the Firepower Migration Tool
Map ASA Interfaces to Security Zones and Interface Groups

• If the target FTD is of container type:

• The FTD must have equal or more number of used ASA interfaces, physical subinterfaces, port
channel, or port channel subinterfaces (excluding management-only in ASA configuration). If the
number is less, add the required type of interface on the target FTD. For example, if the number of
physical interfaces and physical subinterface on the target FTD is 100 less than that of ASA then
you can create the additional physical or physical subinterfaces on the target FTD.
• Subinterfaces are not created by the Firepower Migration Tool. Only interface mapping is allowed
between physical interfaces, port channel, or subinterfaces.

Before you begin

Make sure you have connected to the Firepower Management Center and chosen the destination as Firepower
Threat Defense. For more information, see Specify Destination Parameters for the Firepower Migration Tool,
on page 29.

Note This step is not applicable if you are migrating to a Firepower Management Center without a Firepower Threat
Defense device.

Procedure

Step 1 If you want to change an interface mapping, click the drop-down list in the Firepower Threat Defense
Interface Name and choose the interface that you want to map to that ASA interface.
You cannot change the mapping of the management interfaces. If a Firepower Threat Defense interface has
already been assigned to an ASA interface, you cannot choose that interface from the drop-down list. All
assigned interfaces are greyed out and unavailable.
You do not need to map subinterfaces. The Firepower Migration Tool maps subinterfaces on the Firepower
Threat Defense device for all subinterfaces in the ASA configuration.

Step 2 When you have mapped each ASA interface to a Firepower Threat Defense interface, click Next.

What to do next
Map the ASA interfaces to the appropriate Firepower Threat Defense interface objects, security zones, and
interface groups. For more information, see Map ASA Interfaces to Security Zones and Interface Groups.

Map ASA Interfaces to Security Zones and Interface Groups

Note If your ASA configuration does not include Access Lists and NAT rules or if you choose not to migrate these
policies, you can skip this step and proceed to Review and Validate the Configuration to be Migrated, on page
37.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
35
 Run the Firepower Migration Tool
Map ASA Interfaces to Security Zones and Interface Groups

To ensure that the ASA configuration is migrated correctly, map the ASA interfaces to the appropriate
Firepower Threat Defense interface objects, security zones and interface groups. In an ASA configuration,
access control policies and NAT policies use interface names (nameif). In Firepower Management Center,
those policies use interface objects. In addition, Firepower Management Center policies group interface objects
into the following:
• Security zones—An interface can belong to only one security zone.
• Interface groups—An interface can belong to multiple interface groups.

The Firepower Migration Tool allows one-to-one mapping of interfaces with security zones and interface
groups; when a security zone or interface group is mapped to an interface, it is not available for mapping to
other interfaces although the Firepower Management Center allows it. For more information about security
zones and interface groups in Firepower Management Center, see Interface Objects: Interface Groups and
Security Zones.

Procedure

Step 1 On the Map Security Zones and Interface Groups screen, review the available interfaces, security zones,
and interface groups.
Step 2 To map interfaces to security zones and interface groups that exist in Firepower Management Center, or that
is available in ASA configuration files as Security Zone type objects and is available in the drop down list,
do the following:
a) In the Security Zones column, choose the security zone for that interface.
b) In the Interface Groups column, choose the interface group for that interface.
Step 3 You can manually map or auto-create the security zones and interface groups.
Step 4 To map the security zones and interface groups manually, perform the following:
a) Click Add SZ & IG.
b) In the Add SZ & IG dialog box, click Add to add a new security zone or Interface Group.
c) Enter the security zone name in the Security Zone column. The maximum characters allowed is 48.
Similarly, you can add an Interface group.
d) Click Close.
To map the security zones and interface groups through auto-creation, perform the following:
a) Click Auto-Create.
b) In the Auto-Create dialog box, check one or both of Interface Groups or Zone Mapping.
c) Click Auto-Create.
The Firepower Migration Tool gives these security zones the same name as the ASA interface, such as outside
or inside, and displays an "(A)" after the name to indicate that it was created by the Firepower Migration
Tool. The interface groups have an _ig suffix added, such as outside_ig or inside_ig. In addition, the security
zones and interface groups have the same mode as the ASA interface. For example, if the ASA logical interface
is in L3 mode, the security zone and interface group that is created for the interface is also in L3 mode.

Step 5 When you have mapped all interfaces to the appropriate security zones and interface groups, click Next.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
36
 Run the Firepower Migration Tool
Review and Validate the Configuration to be Migrated

Review and Validate the Configuration to be Migrated

Before you push the migrated ASA configuration to Firepower Management Center, review the configuration
carefully and validate that it is correct and matches how you want to configure the Firepower Threat Defense
device.
Here, the Firepower Migration Tool fetches the Intrusion Prevention System (IPS) Policies and File Policies
which are already present on the Firepower Management Center and allows you to associate those to the
Access Control Rules you are migrating.
A file policy is a set of configurations that the system uses to perform Advanced Malware Protection for
networks and file control, as part of your overall access control configuration. This association ensures that
before the system passes a file in traffic that matches an access control rule’s conditions, it first inspects the
file.
Similarly, you can use an IPS policy as the system’s last line of defense before traffic is allowed to proceed
to its destination. Intrusion policies govern how the system inspects traffic for security violations and, in inline
deployments, can block or alter malicious traffic. Whenever the system uses an intrusion policy to evaluate
traffic, it uses an associated variable set. Most variables in a set represent values commonly used in intrusion
rules to identify source and destination IP addresses and ports. You can also use variables in intrusion policies
to represent IP addresses in rule suppressions and dynamic rule states.
To search for specific configuration items on a tab, enter the item name in the field at the top of the column.
The table rows are filtered to display only items that match the search term.
The source ASA device may be managed by CSM or ASDM. When you enter more than one item (object or
inline values) in the source or destination address, or source or destination service, CSM/ASDM automatically
creates an object group. The naming conventions for these object groups that are used by CSM and ASDM
are CSM_INLINE and DM_INLINE respectively.
When you opt to clear the inline grouping CSM or ASDM managed configurations, the predefined objects
are replaced with the actual object or member name. If you do not clear the CSM or ASDM managed
configurations, the predefined object names will be retained for migration.
For example, 10.21.44.189 and 10.21.44.190 are members of an object group and are renamed with the
predefined names such as object-group DM_INLINE_NETWORK_1 and object-group
DM_INLINE_NETWORK_2.

Note By default, the Inline Grouping option is enabled.

If you close the Firepower Migration Tool at the Review and Validate Configuration screen, it saves your
progress and allows you to resume the migration later. If you close the Firepower Migration Tool before this
screen, your progress is not saved. If there is a failure after parsing, relaunching the Firepower Migration Tool
resumes from the Interface Mapping screen.

Procedure

Step 1 On the Review and Validate Configuration screen, click Access Control Rules and do the following:
a) For each entry in the table, review the mappings and verify that they are correct.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
37
 Run the Firepower Migration Tool
Review and Validate the Configuration to be Migrated

A migrated Access Policy Rule uses the ACL name as prefix and appends the ACL rule number to it to
make it easier to map back to the ASA configuration file. For example, if an ASA ACL is named
"inside_access", then the first rule (or ACE) line in the ACL will be named as "inside_access_#1". If a
rule must be expanded because of TCP/UDP combinations, an extended service object, or some other
reason, the Firepower Migration Tool adds a numbered suffix to the name. For example, if the allow rule
is expanded into two rules for migration, they are named "inside_access _#1-1" and " inside_access_#1-2".
For any rule that includes an unsupported object, the Firepower Migration Tool appends an
"_UNSUPPORTED" suffix to the name.
b) If you do not want to migrate one or more access control list policies, check the box for the appropriate
rows, choose Actions > Do not migrate, and then click Save.
All rules that you choose not to migrate are greyed out in the table.
c) If you want to apply a Firepower Management Center file policy to one or more access control policies,
check the box for the appropriate rows, choose Actions > File Policy.
In the File Policy dialog, select the appropriate file policy and apply it to the selected access control
policies and click Save.
d) If you want to apply a Firepower Management Center IPS policy to one or more access control policies,
check the box for the appropriate rows, choose Actions > IPS Policy.
In the IPS Policy dialog, select the appropriate IPS policy and its corresponding variable set and apply it
to the selected access control policies and click Save.
e) If you want to change the logging options for an access control rule which has logging enabled, check the
box for the appropriate row and choose Actions > Log.
In the Log dialog, you can enable logging events either at the beginning or end of a connection or both.
If you enable logging, you must opt to send the connection events either to the Event Viewer or to the
Syslog or both. When you opt to send connection events to a syslog server, you can choose the syslog
policies that are already configured on the Firepower Management Center from the Syslog drop-down
menu.
f) If you want to change the actions for the migrated access control rules in the Access Control table, check
the box for the appropriate row and choose Actions > Rule Action.
In the Rule Action dialog from the Actions drop-down, you can either choose ACP or Prefilter tabs:
• ACP—Every access control rule has an action that determines how the system handles and logs
matching traffic. You can either perform an allow, trust, monitor, block, or block with reset action
on an access control rule.
• Prefilter—A rule's action determines how the system handles and logs matching traffic. You can
either perform a fastpath and block.

Tip The IPS and file policies that are attached to an access control rule will be automatically removed
for all rule actions except the Allow option.
ACL Rule Category—The Firepower Migration Tool preserves the Rule sections in the CSM managed
ASA configuration and migrates them as ACL categories on FMC.
Policy capacity and limit warning—The Firepower Migration Tool compares the total ACE count for the
migrated rules with the supported ACE limit on the target platform.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
38
Run the Firepower Migration Tool
Review and Validate the Configuration to be Migrated

Based on the comparison result, the Firepower Migration Tool displays a visible indicator and a warning
message if the total count of migrated ACE exceeds threshold or if it approaches the threshold of the
supported limit of target device.
You can optimize or decide not to migrate if the rules exceed the ACE Count column. You can also
complete the migration and use this information to optimize the rules after a push on the FMC before
deployment.
Note The Firepower Migration Tool does not block any migration despite the warning.
You can now filter the ACE counts in the ascending, descending, equal, greater than, and lesser than
filtering order sequence.
To clear the existing filter criteria, and to load a new search, click Clear Filter.
Note The order you sort the ACL based on ACE is for viewing only. The ACLs are pushed based on
the chronological order in which they occur.

Step 2 Click the following tabs and review the configuration items:
• NAT Rules
• Network Objects
• Port Objects
• Interfaces
• Static Routes

If you do not want to migrate one or more NAT rules or Route Interfaces, check the box for the appropriate
rows, choose Actions > Do not migrate, and then click Save.
All rules that you choose not to migrate are greyed out in the table.

Step 3 (Optional) While reviewing your configuration, you can rename one or more network or port objects in the
Network Objects tab or the Port Objects tab, by choosing Actions > Rename.
Access Rules and NAT policies that reference the renamed objects are also updated with new object names

Step 4 (Optional) To download the details for each configuration item in the grid, click Download.
Step 5 After you have completed your review, click Validate.
During validation, the Firepower Migration Tool connects to Firepower Management Center, reviews the
existing objects, and compares those objects to the list of objects to be migrated. If an object already exists
in Firepower Management Center, the Firepower Migration Tool does the following:
• If the object has the same name and configuration, the Firepower Migration Tool reuses the existing
object and does not create a new object in Firepower Management Center.
• If the object has the same name but a different configuration, the Firepower Migration Tool reports an
object conflict.

You can view the validation progress in the console.

Step 6 When the validation is complete, if the Validation Status dialog box shows one or more object conflicts, do
the following:
a) Click Resolve Conflicts.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
39
 Run the Firepower Migration Tool
Push the Migrated Configuration to Firepower Management Center

The Firepower Migration Tool displays a warning icon on either or both of the Network Objects or Port
Objects tab, depending upon where the object conflicts were reported.
b) Click the tab and review the objects.
c) Check the entry for each object that has a conflict, and choose Actions > Resolve Conflicts.
d) In the Resolve Conflicts window, complete the recommended action.
For example, you might be prompted to add a suffix to the object name to avoid a conflict with the existing
Firepower Management Center object. You can accept the default suffix or replace it with one of your
own.
e) Click Resolve.
f) When you have resolved all object conflicts on a tab, click Save.
g) Click Validate to revalidate the configuration and confirm that you have resolved all object conflicts.
Step 7 When the validation is complete and the Validation Status dialog box displays the message Successfully
Validated, continue with Push the Migrated Configuration to Firepower Management Center, on page 40.

Push the Migrated Configuration to Firepower Management

Center
You cannot push the migrated ASA configuration to Firepower Management Center if you have not successfully
validated the configuration and resolved all object conflicts.
This step in the migration process sends the migrated configuration to Firepower Management Center. It does
not deploy the configuration to the Firepower Threat Defense device. However, any existing configuration
on the Firepower Threat Defense is erased during this step.

Note Do not make any configuration changes or deploy to any device while the Firepower Migration Tool is sending
the migrated configuration to Firepower Management Center.

Procedure

Step 1 In the Validation Status dialog box, review the validation summary.
Step 2 Click Push Configuration to send the migrated ASA configuration to Firepower Management Center.
The new optimization functionality in the Firepower Migration Tool allows you to fetch the migration results
quickly using the Search filters.
The Firepower Migration tool also provides support to optimize CSV download and to apply the actions per
page view or on all rules.
The Firepower Migration Tool displays a summary of the progress of the migration. You can view detailed,
line-by-line progress of which the components that are being pushed to Firepower Management Center in the
console.

Step 3 After the migration is complete, click Download Report to download and save the post-migration report.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
40
 Run the Firepower Migration Tool
Review the Post-Migration Report and Complete the Migration

Copy of the Post-Migration Report is also saved in the Resources folder in the same location as the
Firepower Migration Tool.

Step 4 If your migration failed, review the post-migration report, log file, and unparsed file carefully to understand
what caused the failure.
You can also contact the support team for troubleshooting.
Migration Failure Support
If the migration is unsuccessful, contact Support.
a. On the Complete Migration screen, click the Support button.
The Help support page appears.
b. Check the Support Bundle check box and then select the configuration files to download.
Note The Log and dB files are selected for download by default.
c. Click Download.
The support bundle file is downloaded as a .zip to your local path. Extract the Zip folder to view the log
files, DB, and the Configuration files.
d. Click Email us to email the failure details for the technical team.
You can also attach the downloaded support files to your email.
e. Click Visit TAC page to create a TAC case in the Cisco support page.
Note You can open a TAC case at any time during the migration from the support page.

Review the Post-Migration Report and Complete the Migration

Procedure

Step 1 Navigate to where you downloaded the Post-Migration Report.

Step 2 Open the post-migration report and carefully review its contents to understand how your ASA configuration
was migrated:
• Migration Summary—A summary of the configuration that was successfully migrated from ASA to
Firepower Threat Defense, including information about the ASA interface, Firepower Management
Center hostname and domain, target Firepower Threat Defense device (if applicable), and the successfully
migrated configuration elements.
• Selective Policy Migration—Details of the specific ASA features selected for migration are available
within three categories - Device Configuration Features, Shared Configuration Features, and Optimization.
• ASA Interface to FTD Interface Mapping—Details of the successfully migrated interfaces and how
you mapped the interfaces on the ASA configuration to the interfaces on the Firepower Threat Defense
device. Confirm that these mappings match your expectations.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
41
 Run the Firepower Migration Tool
Review the Post-Migration Report and Complete the Migration

Note This section is not applicable for migrations without a destination Firepower Threat Defense
device or if Interfaces are not selected for migration.
• Source Interface Names to FTD Security Zones and Interface Groups—Details of the successfully
migrated ASA logical interfaces and name and how you mapped them to security zones and interface
groups in Firepower Threat Defense. Confirm that these mappings match your expectations.
Note This section is not applicable if Access Control Lists and NAT are not selected for migration.
• Object Conflict Handling—Details of the ASA objects that were identified as having conflicts with
existing objects in Firepower Management Center. If the objects have the same name and configuration,
the Firepower Migration Tool reused the Firepower Management Center object. If the objects have the
same name but a different configuration, you renamed those objects. Review these objects carefully and
verify that the conflicts were appropriately resolved.
• Access Control Rules, NAT, and Routes You Chose Not to Migrate—Details of the rules that you
choose not to migrate with the Firepower Migration Tool. Review these rules that were disabled by the
Firepower Migration Tool and were not migrated. Review these lines and verify that all the rules you
choose are listed in this section. If desired, you can configure these rules manually.
• Partially Migrated Configuration—Details of the ASA rules that were only partially migrated, including
rules with advanced options where the rule could be migrated without the advanced options. Review
these lines, verify whether the advanced options are supported in Firepower Management Center, and if
so, configure these options manually.
• Unsupported Configuration—Details of ASA configuration elements that were not migrated because
the Firepower Migration Tool does not support migration of those features. Review these lines, verify
whether each feature is supported in Firepower Threat Defense. If so, configure those features manually
in Firepower Management Center.
• Expanded Access Control Policy Rules—Details of ASA access control policy rules that were expanded
from a single ASA Point rule into multiple Firepower Threat Defense rules during migration.
• Actions Taken on Access Control Rules
• Access Rules You Chose Not to Migrate—Details of the ASA access control rules that you choose
not to migrate with the Firepower Migration Tool. Review these lines and verify that all the rules
you choose are listed in this section. If desired, you can configure these rules manually.
• Access Rules with Rule Action Change—Details of all Access Control Policy Rules that had ‘Rule
Action’ changed using the Firepower Migration Tool. The Rule Action values are - Allow, Trust,
Monitor, Block, Block with reset. Review these lines and verify that all the rules you choose are
listed in this section. If desired, you can configure these rules manually.
• Access Control Rules that have IPS Policy and Variable Set Applied—Details of all ASA access
control policy rules that have IPS Policy applied. Review these rules carefully and determine whether
the feature is supported in Firepower Threat Defense.
• Access Control Rules that have File Policy Applied—Details of all ASA access control policy
rules that have File Policy applied. Review these rules carefully and determine whether the feature
is supported in Firepower Threat Defense.
• Access Control Rules that have Rule ‘Log’ Setting Change—Details of the ASA access control
rules that had ‘Log setting' changed using the Firepower Migration Tool. The Log Setting values
are - False, Event Viewer, Syslog. Review these lines and verify that all the rules you choose are
listed in this section. If desired, you can configure these rules manually.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
42
Run the Firepower Migration Tool
Review the Post-Migration Report and Complete the Migration

• Access Control Rules that have failed Zone-lookup—Details of the ASA access control rules
that fail the Route-lookup operation and that is populated in the Post-Migration Report. The
Firepower Migration Tool performs the route-lookup operation based on the route (static and
connected) information in the source configuration to populate the destination security zones in the
access rules.
• Access Control Rules for Tunneled Protocols—Details of Tunnel rules that are migrated as a
prefilter tunnel rule during migration.

Note An unsupported rule that was not migrated causes issues with unwanted traffic getting through your
firewall. We recommend that you configure a rule in Firepower Management Center to ensure that
this traffic is blocked by Firepower Threat Defense.
Note If it requires you to apply IPS or file policy to ACL in the Review and Validate page, you are
highly recommended to create a policy on the FMC before migration. Use the same policy, as the
Firepower Migration Tool fetches the policy from the connected FMC. Creating a new policy and
assigning it to multiple policies may degrade the performance and may also result in a push failure.

For more information about supported features in Firepower Management Center and Firepower Threat
Defense, see Firepower Management Center Configuration Guide, Version 6.2.3.

Step 3 Open the Pre-Migration Report and make a note of any ASA configuration items that you need to migrate
manually on the Firepower Threat Defense device.
Step 4 In Firepower Management Center, do the following:
a) Review the migrated configuration for the Firepower Threat Defense device to confirm that all expected
rules and other configuration items, including the following, were migrated:
• Access control lists (ACL)
• Network Address Translation rules
• Port and network objects
• Static routes
• Interfaces
• IP SLA objects
• Object Group Search
• Time-based objects

b) Configure all partially supported, unsupported, ignored, and disabled configuration items and rules that
were not migrated.
For information on how to configure these items and rules, see the Firepower Management Center
Configuration Guide. The following are examples of configuration items that require manual configuration:
• Platform settings, including SSH and HTTPS access, as described in Platform Settings for Firepower
Threat Defense
• Syslog settings, as described in Configure Syslog
• Dynamic routing, as described in Routing Overview for Firepower Threat Defense
• Service policies, as described in FlexConfig Policies

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
43
 Run the Firepower Migration Tool
Uninstall the Firepower Migration Tool

• VPN configuration, as described in Firepower Threat Defense VPN

• Connection log settings, as described in Connection Logging

Step 5 After you have completed your review, deploy the migrated configuration from Firepower Management Center
to the Firepower Threat Defense device.
Verify that the data is reflected correctly in the Post-Migration Report for unsupported and partially supported
rules.
The Firepower Migration Tool assigns the policies to the Firepower Threat Defense device. Verify that the
changes are reflected in the running configuration. To help you to identify the policies that are migrated, the
description of those policies includes the hostname of the ASA configuration.

Uninstall the Firepower Migration Tool

All components are stored in the same folder as the Firepower Migration Tool.

Procedure

Step 1 Navigate to the folder where you placed the Firepower Migration Tool.
Step 2 If you want to save the logs, cut or copy and paste the log folder to a different location.
Step 3 If you want to save the pre-migration reports and the post-migration reports, cut or copy and paste the
resources folder to a different location.
Step 4 Delete the folder where you placed the Firepower Migration Tool.
Tip The log file is associated with the console window. As long as the console window for the Firepower
Migration Tool is open, the log file and the folder cannot be deleted.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
44
 CHAPTER 4
Troubleshooting Migration Issues
• About Troubleshooting for the Firepower Migration Tool, on page 45
• Logs and Other Files Used for Troubleshooting, on page 46
• Troubleshooting ASA File Upload Failures, on page 46

About Troubleshooting for the Firepower Migration Tool

A migration typically fails during the ASA configuration file upload or during the push of the migrated
configuration to Firepower Management Center.
Some of the common scenarios where the migration process fails are:
• Unknown or invalid characters in the ASA configuration file
• Incomplete or missing elements in the ASA configuration file
• Loss of a network connectivity or latency

Firepower Migration Tool Support Bundle

The Firepower Migration Tool provides the option to download a support bundle to extract valuable
troubleshooting information like log files, DB, and configuration files. Perform the following:
1. On the Complete Migration screen, click the Support button.
The Help support page appears.
2. Check the Support Bundle check box and then select the configuration files to download.

Note The Log and dB files are selected for download by default.

3. Click Download.
The support bundle file is downloaded as a .zip to your local path. Extract the Zip folder to view the log
files, DB, and the Configuration files.
4. Click Email us to email the failure details for the technical team.
You can also attach the downloaded support files to your email.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
45
 Troubleshooting Migration Issues
Logs and Other Files Used for Troubleshooting

5. Click Visit TAC page to create a TAC case in the Cisco support page.

Note You can open a TAC case at any time during the migration from the support page.

Logs and Other Files Used for Troubleshooting

You can find information that is useful for identifying and troubleshooting issues in the following files.

File Location
Log file <migration_tool_folder>\logs

Pre-migration report <migration_tool_folder>\resources

Post-migration report <migration_tool_folder>\resources

unparsed file <migration_tool_folder>\resources

telemetry_sessionid_timestamp.json <migration_tool_folder>\resources\telemetry_data

Troubleshooting ASA File Upload Failures

If your ASA configuration file fails to upload, the reason is typically because the Firepower Migration Tool
could not parse one or more lines in the file.
You can find information about the errors that caused the upload and parsing failure in the following locations:
• Error message displayed by the Firepower Migration Tool—Provides a high-level summary of what
caused the failure.
• Pre-migration report—Review the Configuration Lines with Errors section to see which lines in the ASA
configuration file caused the failure.
• Log file—Search on the word "error" to view the reason for the failure.
• Unparsed file—Look at the end of the file to identify the last ignored line of the ASA configuration file
that was successfully parsed.

Troubleshooting Example for ASA: Cannot Find Member of Object Group

In this example, the ASA configuration file upload and parsing that is failed because the parser could not find
one of the members of an object group.

Procedure

Step 1 Review the error messages to identify the problem.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
46
 Troubleshooting Migration Issues
Troubleshooting Example for ASA: List Index Out of Range

This failure generated the following error messages:

Location Error Message

Migration Tool message N/A

Configuration Lines with Errors Line#2[ERROR] group-object GROUP1

section of the pre-migration report
Line#3[ERROR] group-object GROUP2
Line#1[ERROR] object-group network NOV-SERVERS

Log file [INFO | object_group_mode.py:9491 > Parsing object-group network:

[NOV-SERVERS]
[ERROR | object_group_mode.py:1048 ] [GROUP1] group not found
when creating object-group network [NOV-SERVERS]
[ERROR | object_group_mode.py:1049 ] no row was found for one()
[ERROR | object_group_mode.py:1048 ] [GROUP2] group not found
when creating object-group network [NOV-SERVERS]
[ERROR | object_group_mode.py:1049 ] no row was found for one()

Step 2 Open the ASA configuration file and do the following:

a) Search for the object group by name: NOV-SERVERS
The ASA configuration file shows the following lines for NOV-SERVERS:
object-group network NOV-SERVERS
group-object GROUP1
group-object GROUP2

b) Search for each member of the group to identify which member is not included in the ASA configuration
file.
Step 3 To resolve the error, do the following using ASDM on the source ASA device:
a) Create the missing member for the object group.
b) Export the configuration file.
Step 4 If there are no more errors, upload the new ASA configuration file to the Firepower Migration Tool and
continue with the migration.

Troubleshooting Example for ASA: List Index Out of Range

In this example, the ASA configuration file upload and parsing that is failed because of an error in the
configuration of an element that the Firepower Migration Tool does not support.

Procedure

Step 1 Review the error messages to identify the problem.

This failure generated the following error messages:

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
47
 Troubleshooting Migration Issues
Troubleshooting Example for ASA: List Index Out of Range

Location Error Message

Migration Tool message list index out of range

Configuration Lines with Errors N/A

section of the pre-migration report

Log file [ERROR | asa_config_upload.py:119] > list index out of range

Step 2 Open the unparsed file and scroll to the bottom to identify the last line of the ASA configuration file that was
successfully parsed.
In this example, the last line in the unparsed file is the following:
Line#345 [SKIPPED] address 209.165.200.224 255.255.255.224

Step 3 Open the ASA configuration file and do the following:

a) Search for address 209.165.200.224 255.255.255.224
The line that follows this one contains the configuration element that caused the issue.
b) Review the line to determine what is causing the migration to fail.
In this example, the line where the Firepower Migration Tool had stopped parsing is name
www.example.s3.amazonaws.com. This is the line in the ASA configuration file that is directly after the
last line in the unparsed file. If you cannot identify the issue with this line, we recommend that you review
the Known Issues section in the Release Notes for the Firepower Migration Tool to see if you have
encountered one of the known issues in the release.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
48
 CHAPTER 5
Migration Tool FAQs
• Firepower Migration Tool Frequently Asked Questions, on page 49

Firepower Migration Tool Frequently Asked Questions

Q. What are the new features supported on the Firepower Migration Tool for Release 2.2?
A. The following features are supported with release 2.2:
• Object Group Search
• IP SLA Monitor
• Time-based Objects

Q. What are the source and target platforms that the Firepower Migration Tool can migrate policy?
A. The Firepower Migration Tool can migrate policies from supported ASA platform to FTD platform. For
more information, see Supported Source ASA Platforms, on page 19.
Q. What are the tasks that you must perform in the Pre-Migration and Post-Migration Reports?
A. To perform the tasks as part of your plan for migrating from ASA to Firepower Threat Defense, see
Migrating ASA to Firepower Threat Defense 2100 - An Example, on page 59.
Q. What are the supported destination platforms versions?
A. You can use the Firepower Migration Tool to migrate an ASA configuration to the standalone or container
instance of the Firepower Threat Defense platforms for FMC 6.2.3 or later. For more information on the
list of supported devices, see Supported Target Firepower Threat Defense Platforms, on page 20.
Q. What are the features the Firepower Migration Tool supports for migration?
A. The Firepower Migration Tool supports migration of L3/L4 ASA configuration to FTD. It also allows
enabling L7 features like IPS, file policy, and so on, during the migration process.
The Firepower Migration Tool can fully migrate the following ASA configurations:
• Network objects and groups (except discontiguous masks)
• Service objects, except for those service objects configured for a source and destination

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
49
 Migration Tool FAQs
Firepower Migration Tool Frequently Asked Questions

Note Though the Firepower Migration Tool does not migrate extended service objects
(configured for a source and destination), referenced ACL and NAT rules are
migrated with full functionality.

• Service object groups, except for nested service object groups

Note Since nesting is not supported on the Firepower Management Center, the
Firepower Migration Tool expands the content of the referenced rules. The rules
however, are migrated with full functionality.

• IPv4 and IPv6 FQDN objects and groups

• IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)
• Access rules that are applied to interfaces in the inbound direction and global ACL
• Auto NAT, Manual NAT, and object NAT (conditional)
• Static routes, except for those configured with the track option which are partially migrated and
ECMP routes which are not migrated
• Physical interfaces
• Subinterfaces
• Port channels
• Bridge groups (transparent mode only)
• Tunneling protocol-based access control policy rules (migrated as Prefilter tunnel rules)
• Category-based rule for CSM managed configurations
• IP SLA Monitor
• Object Group Search
• Time-based Objects

Q. What are the new features supported on the Firepower Migration Tool for Release 2.0?
A. The following features are supported with release 2.0:
• Destination Zone mapping for Access Rules
• Prefilter tunnel rules
• Category-based rules
• Policy Limit and Capacity Warning

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
50
Migration Tool FAQs
Firepower Migration Tool Frequently Asked Questions

• ASA 5505 and ASA-SM migration support

Q. Is there any dependency on FMC to use the new features introduced in the Firepower Migration Tool?
A. Yes. The following features are supported with target FMC 6.5 and later:
• Migrate tunnel Rules as Prefilter
• Category-based rules
• ASA 5505 Migration

Note Requires FMC version 6.5 and later to migrate to target FTD FPR-1010 platform.

The following features are supported with target FMC 6.6 and later:
• Object Group Search
• IP SLA Monitor
• Time-based Objects

Q. Can we migrate all the access rules in the source configuration to the Prefilter policy?
A. No. For migrations that are opted with Migrate Tunnel rules as Prefilter, the Firepower Migration
Tool identifies tunneling protocol-based access rules and migrates them as tunnel rules.
Q. What are the features the Firepower Migration Tool does not migrate today?
A. The Firepower Migration Tool does not support the following ASA configurations for migration. If these
configurations are supported in Firepower Management Center, you can configure them manually after
the migration is complete.
• SGT-based access control policy rules
• SGT-based objects
• User-based access control policy rules
• NAT rules that are configured with the block allocation option
• Objects with unsupported ICMP type and code
• Tunneling protocol-based access control policy rules
• NAT rules that are configured with SCTP
• NAT rules that are configured with host ‘0.0.0.0’
• Tunneling protocol-based access control policy rules (supported from Firepower Migration Tool
2.0 with target FMC 6.5 and later)

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
51
 Migration Tool FAQs
Firepower Migration Tool Frequently Asked Questions

For more information, see Guidelines and Limitations for ASA Configurations, on page 13.
Q. What are the supported source devices and code version?
A. You can use the Firepower Migration Tool to migrate the configuration from single or multi-context
ASA platforms (software version 8.4 or later). For more information on the list of devices, see Supported
Source ASA Platforms, on page 19.
Q. Does the Firepower Migration Tool support migration of multi-context ASA?
A. Yes. The Firepower Migration Tool can handle migration of multi-context ASA. At any given point in
time, one can migrate one context of the ASA (except for System context) to either FTD container or
native instances on the target FMC.
Q. What is the support mechanism if there are migration errors?
A. The Firepower Migration Tool is integrated with Cisco Success Network. If there are errors or issues,
contact Cisco TAC. For troubleshooting, see Troubleshooting Migration Issues, on page 45.
Q. How much time does the Firepower Migration Tool take to successfully migrate a configuration?
A. The time that is taken during migration depends on numerous factors like latency on network, load on
FMC, config size, number of objects, ACL, and so on. In internal testing, it was observed that a config
file of 2.0 MB with 7000+ Access Control List, 7000+ NAT Translations, and 3000+ Network Objects
takes around 6 minutes to successfully complete the migration.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
52
 APPENDIX A
Cisco Success Network-Telemetry Data
• Cisco Success Network-Telemetry Data, on page 53

Cisco Success Network-Telemetry Data

Whenever you initiate the migration process in the Firepower Migration Tool, the corresponding telemetry
data file is stored at a fixed location. With Cisco Success Network enabled, when you push the migrated ASA
configuration to Firepower Management Center, the push service reads the telemetry data file from the location
and deletes it after the data is successfully uploaded to the cloud. If you log into the Firepower Migration Tool
using the local credentials instead of your Cisco.com account credentials, the telemetry data will not be pushed
to the cloud and the data file is available here:
<migration_tool_folder>\resources \ telemetry_data
Following tables provide information on the telemetry data points, its description, and sample values.

Table 1: System Information

Data Point Description Example

Value
Operating Operating system that runs the Firepower Migration Tool. It could be Windows 7
System Windows7/Windows10 64-bit/macOS High Sierra

Browser Browser used to launch the Firepower Migration Tool. It could be Mozilla/5.0
Mozilla/5.0 or Chrome/68.0.3440.106 or Safari/537.36

Table 2: Source ASA Information

Data Point Description Example Value

Source Type The source device type ASA

Source Device Serial Number Serial number of ASA JAF1528ACAD

Source Device Model Number Model number of ASA ASA5585-SSP-10,

5969 MB RAM, CPU
Xeon 5500 series
2000 MHz, 1 CPU (4
cores)

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
53
 Cisco Success Network-Telemetry Data
Cisco Success Network-Telemetry Data

Data Point Description Example Value

Source Device Version Version of ASA 9.6(2)

Source Config Counts The total number of lines in the source 504
configuration

Firewall Mode The firewall mode configured on ASA - routed ROUTED

or transparent

Context Mode The context mode of ASA. This can be single SINGLE
or multi-context.

ASA Config Statistics:

ACL Counts The number of ACLs which are attached to 46

access group

Access Rules Counts The total number of access rules 46

NAT Rule Counts The total number of NAT rules 17

Network Object Counts The number of network objects configured in 34

ASA

Network Object Group Counts The number of network object groups in ASA 6

Port Object Counts The number of port objects 85

Port Object Group Counts The number of port object groups 37

Unsupported Access Rules Count The total number of unsupported access rules 3

Unsupported NAT Rule Count The total number of unsupported NAT access 0
rules

FQDN Based Access Rule Counts The number of FQDN -based access rules 7

Time range Based Access Rule The number of time range based access rules 1
Counts

SGT Based Access Rule Counts The number of SGT-based access rules 0

Summary of Config lines that Tool is not able to parse

Unparsed Config Count The number of config lines that are 68

unrecognized by the parser

Total Unparsed Access Rule Counts The total number of unparsed access rules 3

More ASA config details...

Is RA VPN Configured Whether RA VPN is configured on ASA false

Is S2S VPN Configured Whether Site-to-Site VPN is configured on false

ASA

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
54
Cisco Success Network-Telemetry Data
Cisco Success Network-Telemetry Data

Data Point Description Example Value

Is BGP Configured Whether BGP is configured on ASA false

Is OSPF Configured Whether OSPF is configured on ASA false

Local Users Counts The number of local users configured 0

Table 3: Target Management Device (Firepower Management Center) Information

Data Point Description Example Value

Target Management Version The target version of Firepower Management 6.2.3.3 (build 76)
Center

Target Management Type The type of target management device, namely, FMC
Firepower Management Center(FMC)

Target Device Version The version of target device 75

Target Device Model The model of target device Cisco Firepower Threat
Defense for VMware

Migration Tool Version The version of the migration too1 1.1.0.1912

Table 4: Migration Summary

Data Point Description Example

Value
Access Control Policy

Name The name of access control policy Doesn't Exist

Access Rule Counts The total number of migrated ACL rules 0

Partially Migrated ACL Rule Counts The total number of partially migrated ACL rules 3

Expanded ACP Rule Counts The number of expanded ACP rules 0

NAT Policy

Name The name of NAT policy Doesn't Exist

NAT Rule Counts The total number of migrated NAT rules 0

Partially Migrated NAT Rule Counts The total number of partially migrated NAT rules 0

More migration details...

Interface Counts The number of updated interfaces 0

Sub Interface Counts The number of updated subinterfaces 0

Static Routes Counts The number of static routes 0

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
55
 Cisco Success Network-Telemetry Data
Cisco Success Network-Telemetry Data

Data Point Description Example

Value
Objects Counts The number of objects created 34

Object Group Counts The number of object groups created 6

Interface Group Counts The number of interface groups created 0

Security Zone Counts The number of security zones created 3

Network Object Reused Counts The number of objects reused 21

Network Object Rename Counts The number of objects that are renamed 1

Port Object Reused Counts The number of port objects that are reused 0

Port Object Rename Counts The number of port objects that are renamed 0

Table 5: Firepower Migration Tool Performance Data

Data Point Description Example

Value
Conversion Time The time taken to parse ASA configuration lines (in minutes) 14

Migration Time The total time taken for end-to-end migration (in minutes) 592

Config Push Time The time taken to push the final configuration (in minutes) 7

Migration Status The status of the migration of ASA configuration to Firepower SUCCESS
Management Center

Error Message The error message as displayed by the Firepower Migration Tool null

Error Description The description about the stage when the error has occurred and the null
possible root cause

Telemetry ASA Example File

The following is an example of a telemetry data file on the migration of ASA configuration to Firepower
Threat Defense:
{
"metadata": {
"contentType": "application/json",
"topic": "migrationtool.telemetry"
},
"payload": {
"asa_config_stats": {
"access_rules_counts": 46,
"acl_counts": 46,
"fqdn_based_access_rule_counts": 7,
"is_bgp_configured": false,
"is_eigrp_configured": false,
"is_multicast_configured": false,
"is_ospf_configured": false,

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
56
Cisco Success Network-Telemetry Data
Cisco Success Network-Telemetry Data

"is_pbr_configured": false,
"is_ra_vpn_configured": false,
"is_s2s_vpn_configured": false,
"is_snmp_configured": false,
"local_users_counts": 0,
"nat_rule_counts": 17,
"network_object_counts": 34,
"network_object_group_counts": 6,
"port_object_counts": 85,
"port_object_group_counts": 37,
"sgt_based_access_rules_count": 0,
"timerange_based_access_rule_counts": 1,
"total_unparsed_access_rule_counts": 3,
"unparsed_config_count": 68,
"unsupported_access_rules_count": 3,
"unsupported_nat_rule_count": 0
},
"context_mode": "SINGLE",
"error_description": null,
"error_message": null,
"firewall_mode": "ROUTED",
"migration_status": "SUCCESS",
"migration_summary": {
"access_control_policy": [
[
{
"access_rule_counts": 0,
"expanded_acp_rule_counts": 0,
"name": "Doesn't Exist",
"partially_migrated_acl_rule_counts": 3
}
]
],
"interface_counts": 0,
"interface_group_counts": 0,
"nat_Policy": [
[
{
"NAT_rule_counts": 0,
"name": "Doesn't Exist",
"partially_migrated_nat_rule_counts": 0
}
]
],
"network_object_rename_counts": 1,
"network_object_reused_counts": 21,
"object_group_counts": 6,
"objects_counts": 34,
"port_object_rename_counts": 0,
"port_object_reused_counts": 0,
"security_zone_counts": 3,
"static_routes_counts": 0,
"sub_interface_counts": 0
},
"migration_tool_version": "1.1.0.1912",
"source_config_counts": 504,
"source_device_model_number": " ASA5585-SSP-10, 5969 MB RAM, CPU Xeon 5500 series
2000 MHz, 1 CPU (4 cores)",
"source_device_serial_number": "JAF1528ACAD",
"source_device_version": "9.6(2)",
"source_type": "ASA",
"system_information": {
"browser": "Chrome/69.0.3497.100",
"operating_system": "Windows NT 10.0; Win64; x64"

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
57
 Cisco Success Network-Telemetry Data
Cisco Success Network-Telemetry Data

},
"target_device_model": "Cisco Firepower Threat Defense for VMWare",
"target_device_version": "75",
"target_management_type": "FMC",
"target_management_version": "6.2.3.3 (build 76)",
"time": "2018-09-28 18:17:56",
"tool_performance": {
"config_push_time": 7,
"conversion_time": 14,
"migration_time": 592
}
},
"version": "1.0"
}

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
58
 APPENDIX B
Migrating ASA to Firepower Threat Defense 2100
- An Example
• Migrating ASA to Firepower Threat Defense 2100 - An Example, on page 59

Migrating ASA to Firepower Threat Defense 2100 - An Example

Note Create a test plan that you can run on the target device after you complete the migration.

• Perform the Following Tasks Before the Maintenance Window, on page 59

• Perform the Following Tasks During the Maintenance Window, on page 60

Perform the Following Tasks Before the Maintenance Window

Before you begin
Make sure you have installed and deployed a Firepower Management Center. For more information, see the
appropriate Firepower Management Center Hardware Installation Guide and the appropriate Firepower
Management Center Getting Started Guide.

Procedure

Step 1 Use the show running-config command for the ASA device or context that you are migrating and save a
copy of the ASA configuration. See View the Running Configuration.
Alternately, use Adaptive Security Device Manager (ASDM) for the ASA device or context that you want to
migrate and choose File > Show Running Configuration in New Window to obtain the configuration file.
Note For a multi context ASA, you can use the show tech-support command to obtain the configuration
for all the contexts in a single file.

Step 2 Review the ASA configuration file.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
59
 Migrating ASA to Firepower Threat Defense 2100 - An Example
Perform the Following Tasks During the Maintenance Window

Step 3 Deploy the Firepower 2100 series device in your network, connect the interfaces and power on the appliance.
For more information, see Cisco Firepower Threat Defense for the Firepower 2100 Series Using Firepower
Management Center Quick Start Guide.

Step 4 Register the Firepower 2100 series device to be managed by the Firepower Management Center.
For more information, see Add Devices to the Firepower Management Center.

Step 5 (Optional) If your source ASA configuration has port channels, create port channels (EtherChannels) on the
target Firepower 2100 series device.
For more information, see Configure EtherChannels and Redundant Interfaces.

Step 6 Download and run the most recent version of the Firepower Migration Tool from https://software.cisco.com/
download/home/286306503/type.
For more information, see Download the Firepower Migration Tool from Cisco.com, on page 23.

Step 7 When you launch the Firepower Migration Tool, and specify destination parameters, make sure that you select
the Firepower 2100 series device that you registered to the Firepower Management Center.
For more information, see Specify Destination Parameters for the Firepower Migration Tool, on page 29.

Step 8 Map the ASA interfaces with the FTD interfaces.

Note The Firepower Migration Tool allows you to map an ASA interface type to an FTD interface type.
For example, you can map a port channel in ASA to a physical interface in FTD.
For more information, see Map ASA Configurations with Firepower Threat Defense Interfaces.

Step 9 While mapping logical interfaces to security zones, click Auto-Create to allow the Firepower Migration Tool
to create new security zones. To use existing security zones, manually map the ASA logical interfaces to the
security zones.
For more information, see Map ASA Interfaces to Security Zones and Interface Groups.

Step 10 Follow the instructions of this guide to sequentially review and validate the configuration to be migrated, and
then push the configuration to the Firepower Management Center.
Step 11 Review the Post Migration report, manually setup and deploy other configurations to the FTD and complete
the migration.
For more information, see Review the Post-Migration Report and Complete the Migration, on page 41.

Step 12 Test the Firepower 2100 series device using the test plan that you would have created while planning for
migration.

Perform the Following Tasks During the Maintenance Window

Before you begin
Make sure you have completed all the tasks that must be performed before the maintenance window. See
Perform the Following Tasks Before the Maintenance Window, on page 59.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
60
Migrating ASA to Firepower Threat Defense 2100 - An Example
Migrating ASA to Firepower Threat Defense 2100 - An Example

Procedure

Step 1 Connect to the ASA through the SSH console and switch to the interface configuration mode.
For more information, see Accessing the Appliance Command-Line Interface.

Step 2 Shutdown the ASA interfaces using the shutdown command.

Step 3 (Optional) Access the Firepower Management Center and configure dynamic routing for the Firepower 2100
series device.
For more information, see Dynamic Routing.

Step 4 Clear the Address Resolution Protocol (ARP) cache on the surrounding switching infrastructure.
Step 5 Perform basic ping tests from surrounding switching infrastructure to the Firepower 2100 series device interface
IP addresses, to make sure that they are accessible.
Step 6 Perform basic ping tests from devices which require layer 3 routing to Firepower 2100 series device interface
IP addresses.
Step 7 If you are assigning a new IP address to the Firepower 2100 series device and not reusing the IP address
assigned to the ASA device perform the following steps:
a. Update any static routes which refer to the IP address, so that they now point to the Firepower 2100 series
device IP address.
b. If you are using routing protocols, ensure that neighbors see the Firepower 2100 series device IP address
as the next hop for expected destinations.

Step 8 Run a comprehensive test plan and monitor logs within the managing Firepower Management Center for your
Firepower 2100 device.

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
61
 Migrating ASA to Firepower Threat Defense 2100 - An Example
Migrating ASA to Firepower Threat Defense 2100 - An Example

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool
62