About Migrating Threat Defense to Cloud-delivered Firewall Management Center

CDO admin users can migrate threat defense devices to the cloud-delivered Firewall Management Center from on-prem management centers. For supported versions, see Supported On-Prem Firewall Management Center and Threat Defense Software for Migration.

Before initiating the migration process, it is important to upgrade the on-prem management center models to a CDO-supported version and onboard it to CDO. Only after this step, you can proceed with migrating the devices that are associated with the on-prem management center.

You have a 14-day evaluation period to review and assess the migration changes that are made to the threat defense devices before CDO automatically commits them. During this evaluation period, if you are not satisfied with the changes, you can either undo the changes and continue managing the device with the on-prem management center or commit the migration changes. It's important to note that after the evaluation period expires, CDO will automatically commit the changes, and it will no longer be possible to undo them.

After migrating the devices, the cloud-delivered Firewall Management Center onboards the threat defense devices and imports all shared policies and associated objects, device-specific policies, and device configuration from the on-prem management center to the cloud-delivered Firewall Management Center. In addition, the devices can be found in CDO's Inventory page.

Note

Cloud-delivered Firewall Management Center handles all duplicate policy and object names that are identified during the on-prem management center migration process. This behavior is explained in detail later in this document.

User Roles

The user roles of the on-prem management center are no longer applicable in CDO after migration. Your authorization to perform tasks on the migrated device is based on your user role in CDO. See the Users topic to understand the on-prem management center and cloud-delivered Firewall Management Center user role mapping.

Pause Migration to Review Imported Shared Policies

CDO provides an option that allows the migration to be paused once the shared access policies, including Access Control and NAT policies, have been prepared within the cloud-delivered Firewall Management Center. This strategic pause prevents the start of the 14-day evaluation period, ensuring the device's current state or the device's manager is affected during the review phase. This window provides an opportunity for a thorough evaluation of the staged configuration.

Upon a satisfactory review of the configuration within the planned migration window, the process can be resumed. Resuming migration will import the device-specific settings, such as routing and interfaces, and will register the threat defenses with the cloud-delivered Firewall Management Center. Note that this action starts the 14-day evaluation period. Post-migration, it is mandatory to execute deployment from the cloud-delivered Firewall Management Center to finalize the migration successfully.