About Migrating Threat Defense to Cloud-delivered Firewall Management Center

Security Cloud Control admin users can migrate threat defense devices to the cloud-delivered Firewall Management Center from on-premises management centers. For supported versions, see Supported On-Premises Firewall Management Center and Threat Defense Software for Migration.

Before initiating the migration process, it is important to upgrade the on-premises management center models to a Security Cloud Control-supported version and onboard it to Security Cloud Control. Only after this step, you can proceed with migrating the devices that are associated with the on-premises management center.

You have a 14-day evaluation period to review and assess the migration changes that are made to the threat defense devices before Security Cloud Control automatically commits them. During this evaluation period, if you are not satisfied with the changes, you can either undo the changes and continue managing the device with the on-premises management center or commit the migration changes. It's important to note that after the evaluation period expires, Security Cloud Control will automatically commit the changes, and it will no longer be possible to undo them.

After migrating the devices, the cloud-delivered Firewall Management Center onboards the threat defense devices and imports all shared policies and associated objects, device-specific policies, and device configuration from the on-premises management center to the cloud-delivered Firewall Management Center. In addition, the devices can be found in Security Cloud Control's Security Devices page.

Note

Cloud-delivered Firewall Management Center handles all duplicate policy and object names that are identified during the on-premises management center migration process. This behavior is explained in detail later in this document.

User Roles

The user roles of the on-premises management center are no longer applicable in Security Cloud Control after migration. Your authorization to perform tasks on the migrated device is based on your user role in Security Cloud Control. See the Users topic to understand the on-premises management center and cloud-delivered Firewall Management Center user role mapping.

Pause Migration to Review Imported Shared Policies

Security Cloud Control provides an option that allows the migration to be paused once the shared access policies, including Access Control and NAT policies, have been prepared within the cloud-delivered Firewall Management Center. This strategic pause prevents the start of the 14-day evaluation period, ensuring the device's current state or the device's manager is affected during the review phase. This window provides an opportunity for a thorough evaluation of the staged configuration.

Upon a satisfactory review of the configuration within the planned migration window, the process can be resumed. Resuming migration will import the device-specific settings, such as routing and interfaces, and will register the threat defenses with the cloud-delivered Firewall Management Center. Note that this action starts the 14-day evaluation period. Post-migration, it is mandatory to execute deployment from the cloud-delivered Firewall Management Center to finalize the migration successfully.