About the Security Cloud Control Migration Process

Security Cloud Control can help you migrate your Adaptive Security Appliance (ASA) to an FDM-managed device. Security Cloud Controlprovides the ASA to FDM Migration wizard to help you migrate your ASA's running configuration to an FDM template.

Note

The show-fdm and enable-asa-to-ftd-migration feature flags must be enabled to view the Migrate to FDM option under Device Actions on the right pane of the Inventory page. Contact TAC to activate the ASA to FDM Migration option if you do not see it.

You can migrate the following elements of ASA's running configuration to an FDM template using the ASA to FDM Migration wizard:

  • Interfaces

  • Routes

  • Access Control Rules (ACLs)

  • Network Address Translation (NAT) rules

  • Network objects and network group objects

    Note
    Security Cloud Control does not support object names with reserved keywords. Rename the object names by adding a suffix "ftdmig" to it.
  • Service objects and service group objects

  • Site-to-Site VPN

Security Cloud Control migrates only referenced objects. Objects in an access control list, which are defined but are not referenced to an access group are not migrated. Some of the common reasons Security Cloud Control fails to migrate certain elements can be one or more of the following:

  • ICMP access lists with no ICMP code

  • TCP/UDP access lists with no access group configuration

  • IP access lists not mapped to site-to-site VPN profiles

  • Any network objects or groups referred to access lists that are not migrated

  • Interfaces referred as shutdown

Note
Any unreferenced object or object-groups in the configuration will also be dropped and marked as unused during the migration. See the Migration Report for information about elements that have not been migrated.

Once these elements of the ASA running configuration have been migrated to the FDM template, you can then apply the FDM template to a new FDM-managed device that is managed by Security Cloud Control. The FDM-managed device adopts the configurations defined in the template, and so, the FDM-managed is now configured with some aspects of the ASA's running configuration.

Other elements of the ASA running configuration are not migrated using this process. Those other elements are represented in the FDM template by empty values. When the template is applied to the FDM-managed device, we apply values we migrated to the new device and ignore the empty values. Whatever other default values the new device has, it retains. Those other elements of the ASA running configuration that we did not migrate, will need to be recreated on the FDM-managed device outside the migration process.