Supported Configurations

The migration tool supports the following configurations:

  • Network objects and groups

  • Service objects, except those configured for a source and destination

  • Referenced ACL and NAT rules

  • Service object groups

    Note

    Nested service object group contents are broken down to individual objects before being migrated, because the cloud-delivered management center does not support nesting.

  • IPv4 and IPv6 FQDN objects and groups

  • IPv6 conversion (interface, static routes, objects, ACL, and NAT)

  • Access rules applied to ingress interfaces

  • Global ACLs

  • Auto NAT, manual NAT, and object NAT

  • Static routes, equal-cost multipath (ECMP) routes, and policy-based routing (PBR)

  • Physical interfaces

  • Sub-interfaces

  • Port channels

  • Virtual tunnel interface

  • Bridge groups in transparent mode

  • IP SLA objects - the migration tool creates them, maps them with static routes, and migrates them

  • Time-based objects

  • Site-to-site VPN

    • Site-to-Site VPN—When the Firewall migration tool detects crypto-map configuration in the source ASA, FDM-managed device, Palo Alto Networks firewall, or Fortinet firewall, the Secure Firewall migration tool migrates it as a point-to-point topology to the management center VPN

    • Crypto-map (static/dynamic)-based VPN from ASA, FDM-managed devices, Palo Alto Networks firewall, and Fortinet firewall

    • Route-based (VTI) ASA and FDM VPN

    • Certificate-based VPN migration from ASA, FDM-managed device, Palo Alto Networks firewall, Fortinet firewall

      Important

      If you have site-to-site VPN configurations in your source ASA, FDM-managed device, Palo Alto Networks firewall, or Forinet firewall, ensure that their device trustpoint or certificates are configured manually in the cloud-delivered FMC.

  • Remote-access VPN

    • SSL and IKEv2 protocols

    • Authentication methods—AAA only, client certificate only, SAML, AAA, and client certificate

    • AAA—Radius, local, LDAP, and AD

    • Connection profiles, group policy, dynamic access policy, LDAP attribute map, and certificate map

    • Standard and extended ACL

    • Custom attributes and VPN load balancing

    Important

    If you have configured remote-access VPN in your source firewall, ensure the following tasks are performed:

    • Configure the ASA,FDM-managed device, Palo Alto Networks, and Fortinet firewall trustpoints manually on the management center as PKI objects

    • Retrieve AnyConnect packages, Hostscan files (dap.xml, data.xml, hostscan package), external browser package, and AnyConnect profiles from the source ASA and FDM-managed device

    • Upload all AnyConnect packages and profiles to the management center

  • Dynamic route objects, BGP, and EIGRP

    • Policy list

    • Prefix list

    • Community list

    • Autonomous system (AS) path

    • Route map

Note

The migration tool analyzes all objects and object groups based on both their name and configuration, and reuses objects that have the same name and configuration; however, XML profiles in remote access VPN configurations are validated only using their name.

Refer to Cisco Secure Firewall Migration Tool Compatibility Guide for more information.