Seamless Transition: Mastering Migration to Cisco Secure Firewall
Firewall migration is often seen as a complex task that requires downtime and other operational disruptions. At Cisco Live APJC, Principal Engineer Raghu Kulkarni, an almost 15-year Cisco veteran, aims to shift this perspective. Kulkarni demonstrates that transitioning to Cisco Secure Firewall is a straightforward and manageable process when specific activities are addressed proactively. In the session, Kulkarni explains the three stages to Firewall migration, illustrating that not all migration activities need to be performed during downtime, which is what most customers fear. In fact, Kulkarni details that around 95% of the process can be staged before the actual migration occurs.
Before diving into the migration process, let’s take a look at three valuable questions that Kulkarni answers during this session:
- What are the tools available for migration? How does Cisco’s Firewall Management Tool (FMT) specifically ease the migration process?
- What are the pre-checks that can be performed before migration occurs?
- If you have existing Firepower devices that have reached end of life, and they are managed through the Firepower Management Center (FMC), how can their configurations be migrated to newer hardware?
Getting started with the migration process
In order to ensure a seamless transition, there are two tasks that should be completed even before the pre-migration phase. Firstly, it is crucial to identify stakeholders who will be impacted by migration or who need to validate the new firewall environment, such as application owners and testing teams. Overlooking specific application testing needs may lead to complications in post-migration.
Secondly, Kulkarni discusses the importance of staging the environment for readiness. This process involves setting up all the necessary components before the migration process begins. Key elements include:
- Provisioning the FMC, whether on-prem or virtual
- Preparing the new Firepower Threat Defense (FTD) hardware
- Ensuring the FMT is downloaded, installed, and compatible
Key considerations for pre-migration activities
As Kulkarni mentions in his introduction, the pre-migration phase is where most of the work happens, significantly reducing cutover downtime. Cisco’s FMT guides users through configuration extraction, enabling selective migration of features like access control lists, network objects, routes, and interfaces. Most importantly, the tool offers optimization capabilities to identify and resolve issues with unreferenced objects or redundant security rules, preventing a bloated configuration.
The full process conducted by the FMT is as follows:
- Extract Configuration Information
- Select Target(s)
- Map FTD Interface
- Map Security Zones
- Application Mapping
- Optimize, Review & Validate
- Complete Migration
Moreover, in terms of pre-cutover validation, the FMC’s Packet Tracer allows for replaying packet captures to simulate application behavior, while Security Cloud Control offers best practice recommendations. Together, these features and activities provide users with confidence that their migration process is performing as expected. Kulkarni consistently stresses the importance of these features as reducing complexity and limiting cutover downtime.
After completion of the pre-migration process, the FMT provides a comprehensive pre-migration report providing key insights into the following areas: configuration lines with error and ignored or unreferenced elements. These factors are critical in understanding and resolving issues before deployment, and highlighting configurations that weren’t migrated due to irrelevance or lack of support.
Post-migration process and migration completion
Once the comprehensive pre-migration work is complete, the FMT initiates the configuration push to the FMC. This is the first time the FMT actively communicates with the FMC to deploy the optimized configuration. Upon completion, the FMT generates a post-migration report, providing a summary of factors such as: configurations that have been successfully migrated, configurations that could not be migrated, or any manually selected elements that were chosen not to be migrated.
This summary is invaluable for comparing with the pre-migration report, highlighting differences and validating the migration’s success. More details on the configuration push and the post-migration process can be found here.
Learn more by watching the full session
Kulkarni demonstrates that the transition to Cisco Secure Firewall can be simple when considering critical activities, using Cisco’s migration tools, and ensuring validation and optimization at every step. Firewall migration does not have to be a complex and daunting task, and Cisco strives to confirm this notion.
If you want to learn more about Cisco Secure Firewall, or watch Raghu Kulkarni’s full session, follow the links below.
Cisco Secure Firewall | Firewall Migration Tool | AIOps for Cisco Secure Firewall
