Supported Features
Handling Shared Policies and Objects
When the migration process begins, the shared policies and associated objects that are associated with the threat defense devices are imported first and then followed by the device configuration.
The following shared policies are imported to CDO after changing the manager on threat defense devices:
-
Access control
-
IPS
-
SSL
-
Prefilter
-
NAT
-
QoS
-
Identity
-
Platform settings
-
Flex config
-
Network analysis
-
DNS
-
Malware & file
-
Health
-
Remote Access VPN
-
Site-to-Site VPN
If a policy or object in CDO has the same name as the policy or object that is imported from the on-prem management center, CDO takes the following actions after changing the management successfully.
Policies, Objects |
Condition |
Action |
---|---|---|
Access control, SSL, IPS, Prefilter, NAT, QoS, Identity, Platform settings, Network analysis, DNS, Malware & File policies. |
Name of the cloud-delivered Firewall Management Center policy matches the on-prem management center policy. |
The cloud-delivered Firewall Management Center policy is used instead of the imported policy from the on-prem management center. |
RA VPN Default group policy DfltGrpPolicy |
The default group policyDfltGrpPolicy from the on-prem management center is ignored. |
The existing cloud-delivered Firewall Management Center default group policy DfltGrpPolicy is used instead. |
Network, Port objects |
Name and content of network and port objects in the cloud-delivered Firewall Management Center match the ones in the on-prem management center. |
The existing cloud-delivered Firewall Management Center network and port objects with the same name and content are used instead of imported objects from the on-prem management center. If the object has the same name but different content, an object override is created. See Object Overrides. |
All other objects |
The existing cloud-delivered Firewall Management Center object is used instead of the imported object from the on-prem management center. |
Any Syslog alert object that is associated with the access control policy is imported into CDO.
Migration Support for Threat Defense in a High-Availability Pair
You can migrate a device in a high-availability pair to the cloud-delivered Firewall Management Center. The device management of both active and standby devices shifts to the cloud-delivered Firewall Management Center.
Important | We strongly recommend committing the manager changes before performing any advanced operations, such as creating high-availability configurations or breaking high-availability configurations from the management center on the devices that are being migrated. Performing such tasks during the evaluation period is not supported and may result in migration commit failure. |
Migration Support for Management Center in a High Availability Pair
You can migrate the threat defense devices in a high availability from on-prem management center to the cloud.
The on-prem management center can be onboarded using the auto-onboarding of on-prem management center method or credentials method. Always onboard the active management center and not the standby.
Note | If you have already onboarded a standalone management center and later configured it as a standby, delete the standby management center and onboard the active one. |
Points to Remember:
-
Auto-onboarding On-Prem Management Center Method
-
High availability break is not supported during the 14 days evaluation period. You can break high availability after committing the changes manually or automatically after the evaluation period.
-
High availability switchover is supported during the 14 days evaluation period.
-
-
Onboarding On-Prem Management Center Method Using SDC
-
High availability break or high availability switchover is not supported during the 14 days evaluation period. You can perform these operations after committing the changes manually or automatically after the evaluation period.
-
After a switchover, onboard the new active unit, which was previously in standby mode, and then start a migration job on the devices.
-
Migration Support for Threat Defense Cluster
Migration of the threat defense cluster from the on-prem management center to the cloud-delivered Firewall Management Center is supported as long as the minimum supported versions of the threat defense on the following platforms are met.
Secure Firewall Threat Defense Platforms |
Minimum Secure Firewall Threat Defense Version for Cluster Migration |
Minimum On-Prem Management Center Version for Cluster Migration |
---|---|---|
VMware, KVM |
7.2.1 |
7.4.1 |
AWS, GCP |
7.2.1 |
7.4.1 |
Azure |
7.3 |
7.4.1 |
Secure Firewall 3100 |
7.2.1 |
7.4.1 |
Firepower 4100 |
7.0.6 |
7.4.1 |
Secure Firewall 4200 |
7.4 |
7.4.1 |
Firepower 9300 |
7.0.6 |
7.4.1 |
Important | Before migrating the threat defense cluster, it is important to keep in mind the following points:
|