Unsupported Features

Migration of a Firewall Threat Defense device registered only for analytics-only with the Firewall Management Center feature is not currently supported.

The following configuration are not imported from the Firewall Management Center to Security Cloud Control as part of migration:

  • Custom Widgets, Application Detectors, Correlation, SNMP and Email Alerts, Scanners, Groups, Dynamic Access Policy, Custom AMP Configuration, Users, Domains, Scheduled Deployment Tasks, ISE configuration, Scheduled GeoDB Updates, Threat Intelligence Director configuration, Dynamic Analysis Connections.

  • ISE internal certificate object is not imported as part of the migration. You must export a new system certificate or a certificate and its associated private key from ISE and import it into Security Cloud Control.

Encrypted Visibility Engine exception rules not migrated from On-Premises Firewall Management Center running Version 7.6 or 7.7

When migrating a Firewall Threat Defense device, which is managed by an On-Premises Firewall Management Center running Version 7.6 or 7.7, to Cloud-Delivered Firewall Management Center, Encrypted Visibility Engine (EVE) exception rules configured on the On-Premises Firewall Management Center are not migrated. This results in the loss of exception rules.

The Cisco support team will reach out to assist you in re-creating the EVE exception rules.

Alternatively, you can do this after the migration:

  1. Identify exception rules in On-Premises Firewall Management Center: Access your On-Premises Firewall Management Center to identify all the EVE exception rules that were configured in the Exception list. For details, refer to the "Encrypted Visibility Engine" chapter in the Cisco Secure Firewall Management Center Device Configuration Guide, 7.7/7.6.

  2. Reconfigure rules in Cloud-Delivered Firewall Management Center: In Cloud-Delivered Firewall Management Center, navigate to Manage > Objects > EVE Exception List. Manually reconfigure the identified EVE exception rules into the global EVE exception list object. For details, refer to "Encrypted Visibility Engine Exception List" topic in the "Object Management" chapter of the Cloud-Delivered Firewall Management Center guide.

Secure Firewall Recommended Rules

Migrating Firewall Threat Defense to the cloud mirates the rule recommendations that are already associated with any of the intrusion policies. However, the Cloud-Delivered Firewall Management Center does not allow the generation of new rule recommendations or auto-update the already migrated recommendations post migration. This is because the Cloud-Delivered Firewall Management Center does not support rule recommendations. See Auto Cisco Recommended Rules.

Custom Network Analysis

If the device is associated with a custom network analysis policy, you must remove all references to this policy from the on premise before migration.

  1. Log on to the on-premises management center.

  2. Choose Policies > Access Control.

  3. Click the edit icon on the access control policy you want to disassociate the custom NAP and then click the Advanced tab.

  4. In the Network Analysis and Intrusion Policies area, click the edit icon.

  5. In the Default Network Analysis Policy list, select a system-provided policy.

  6. Click OK.

  7. Click Save to save the changes and then click Deploy to download the changes to the device.

After migration, you can manually create the Network Analysis Policy in Security Cloud Control.