Event and Analytics Management Options During Firewall Threat Defense Migration

The events and analytics management can be retained in the on-premises Firewall Management Center or transferred to Security Cloud Control Firewall Management, where the devices must be configured to send events to Security Cloud Control Firewall Management.

While initiating the migration process, you are allowed to choose the manager where the device events must be sent for analytics:

  • Retain analytics on the on-premises Firewall Management Center, or

  • Transfer analytics to Security Cloud Control Firewall Management.

If you select the on-premises Firewall Management Center for analytics, Security Cloud Control Firewall Management becomes the manager for selected devices but retains a copy of those devices on the on-premises Firewall Management Center in analytics-only mode. The devices continue to send events to the on-premises Firewall Management Center, and Security Cloud Control Firewall Management manages the configuration changes.

If you select Security Cloud Control Firewall Management for analytics, it becomes the manager for the selected devices and deletes these devices from the on-premises Firewall Management Center. Security Cloud Control Firewall Management manages both configuration changes and events and analytics management. You must configure threat defense devices to send events to the Cisco cloud. You can use either Security Services Exchange or the Secure Event Connector (SEC) to send events from the devices to the Cisco Secure Analytics and Logging (SAL) in the cloud.

If you select on-premises Firewall Management Center for analytics during the migration process, on-premises Firewall Management Center provides a 14-day evaluation period to modify the settings and select on-premises Firewall Management Center for analytics. After you commit the threat defense migration or the 14-day evaluation period ends, you cannot change the analytics settings, and events will continue to appear in the on-premises Firewall Management Center. To this settings after committing to the threat defense migration or after the 14-day evaluation period has expired, see Troubleshoot Firewall Threat Defense Migration to Cloud-Delivered Firewall Management Center.

Special requirement for FMC 1000/2500/4500

If you are migrating from an on-premises Firewall Management Center 1000/2500/4500, you cannot retain analytics on the on-premises Firewall Management Center due to limited availability.

In this case, devices must send events to:

  • Security Analytics and Logging (On-Prem), or

  • Security Analytics and Logging (SaaS).

See Cisco Security Analytics and Logging.

eStreamer Server Streaming

When you manage a Firewall Threat Defense device with Cloud-Delivered Firewall Management Center, the device supports sending only fully-qualified events (FQE) to eStreamer clients. If you have configured eStreamer clients in the on-premises Firewall Management Center, ensure that the clients support the detailed data formats used by FQE when you migrate the device management to Cloud-Delivered Firewall Management Center. Any legacy clients, security information and event management (SIEM) systems, or log management solutions that do not support the data format of FQE or lack the necessary storage to handle the larger volume of FQE data will not work when you migrate.