Firepower Migration Tool Release Notes

First Published: 2020-05-18 Last Modified: 2020-08-20

Welcome to Firepower Migration Tool This document provides critical and release-specific information for Cisco Firepower Migration Tool. Even if you are familiar with Firepower releases and have previous experience with the migration process, make sure that you thoroughly read and understand this document.

New Features in This Release In this release, the following features have been added:

Table 1: New Features in This Release

Firewall New Features

ASA Firewall • The Firepower Migration Tool allows you to migrate the following ASA configuration elements to Firepower Threat Defense: • IP SLA Monitor—The Firepower Migration Tool creates IP SLA Objects, maps the objects with the specific static routes, and migrates the objects to FMC. Verify the IP SLA Monitor objects against the rules in the Review and Validate Configuration page. • Object Group Search—The new Object Group Search functionality in the Firepower Migration Tool allows you to optimize memory utilization by access policy on FTD. • Time-based objects—When the Firepower Migration Tool detects Time-based objects that are referenced with access-rules, the Firepower Migration Tool migrates the Time-based objects and maps them with respective access-rules. Verify the objects against the rules in the Review and Validate Configuration page. Note Time-based objects are supported on FMC version 6.6 and above.

Firepower Migration Tool Release Notes 1 Welcome to Firepower Migration Tool Supported Configurations

Firewall New Features

Check Point Firewall • Provides support for r80 Check Point OS versions. • Provides support for Live Connect to extract configurations from Check Point (r80) devices. • You can migrate the following supported Check Point configuration elements to Firepower Threat Defense for r80: • Interfaces • Static Routes • Objects • Network Address Translation • Access Control Policies • Global Policy—When you select this option, the source, and destination zones of the ACL policy are migrated as Any because there is no route-lookup. • Zone-Based Policy—When you select this option, source, and destination zones are derived based on the predicative route-lookup through routing mechanism for the source and destination network objects or groups. Note Route-lookup is limited to Static routes and Dynamic routes (excluding PBR and NAT) only, and depending on the nature of the source and destination Network Object-Groups, this operation may result in rule explosion. Note IPv6 route-lookup for zone-based policy is unsupported.

For more information on the history of the Firepower Migration Tool, see: • History of the ASA Firewall Firepower Migration Tool • History of the Check Point Firewall Firepower Migration Tool • History of the PAN Firewall Firepower Migration Tool

Supported Configurations The following configuration elements are supported for migration for ASA: • Network objects • Service Objects (which are referred to as port objects in Firepower Threat Defense) • Access lists • NAT rules

Firepower Migration Tool Release Notes 2 Welcome to Firepower Migration Tool Supported Configurations

• Interfaces (Exceptions: Redundant, Routed Mode-BVI, VTI (Tunnel Interface))

Note If your source ASA has Port Channel interfaces, you must create Port Channel Interfaces on the Firepower Management Center; subinterfaces will be automatically created.

• Static routes (dynamic routing not supported) • Routed and transparent firewall mode • Name command reference that is supported in network objects and groups, ACLs, and routes

The following configuration elements are supported for Check Point firewall migration: • Interfaces (Physical, VLAN, and Bond interfaces) • Network objects and groups • Service objects • Network Address Translation (except Auto NAT rules that hide behind the gateway, Manual NAT having Check Point Security gateway, and IPv6 NAT Rules) • IPv6 conversion (Interface, Static Routes, and Objects) ACL (except zone-based for IPv6) and NAT are not supported • Access rules that are applied globally and support conversion of Global ACLs to Zone-Based ACLs • Static routes, except for those configured with priority configurations with a value other than 1, scope local, with logical interfaces • ACL with the additional logging type

The following configuration elements are supported for migration for PAN firewall: • Network objects and groups • Zones (Layer 2, Layer 3, Virtual wire) • Service objects • Service object groups, except for nested service object groups

Note Since nesting is not supported on the Firepower Management Center, the Firepower Migration Tool expands the content of the referenced rules. The rules however, are migrated with full functionality.

• IPv4 and IPv6 FQDN objects and groups • IPv6 conversion support (Interface, Static Routes, Objects, ACL) • Access rules • NAT rules

Firepower Migration Tool Release Notes 3 Welcome to Firepower Migration Tool Supported Software Versions for Migration

Note All the policies with service as "application-default" will be migrated as "any" as FTD does not have an equivalent feature. Translated source and original destination do not have pre-defined “any” object on FMC. Hence, an object with 0.0.0.0/0 named Obj_0.0.0.0 is created and pushed.

• Physical interfaces • Subinterfaces (subinterface ID is always set to the same number as the VLAN ID on migration) • Aggregate Interface (Port channels) • Static routes, except that are configured with Next Hop as Next VR and ECMP routes which are not migrated

Note If the source firewall (PAN) has connected routes that are configured as static routes, it will result in a push failure. FMC does not allow you to create static routes for connected routes. Remove any such route and proceed with the migration.

Supported Software Versions for Migration The following are the supported ASA, Check Point, PAN, and Firepower Threat Defense versions for migration:

Supported ASA Versions The Firepower Migration Tool supports migration from a device that is running ASA software version 8.4 and later.

Supported Check Point Versions The Firepower Migration Tool supports migration to Firepower Threat Defense that is running Check Point OS version r75-r77.30 and r80-r80.40. Select the appropriate Check Point version in the Select Source page.

Note VSX is not supported.

The Firepower Migration Tool supports migration from the Check Point Platform Gaia.

Supported Palo Alto Networks Firewall Versions The Firepower Migration Tool supports migration to Firepower Threat Defense that is running PAN firewall OS version 6.1.x and later.

Supported Firepower Management Center Versions for source ASA Configuration For ASA, the Firepower Migration Tool supports migration to a Firepower Threat Defense device managed by a Firepower Management Center that is running version 6.2.3 or 6.2.3+.

Firepower Migration Tool Release Notes 4 Welcome to Firepower Migration Tool Migration Workflow

Note Some features are supported only in the later versions of FMC and FTD.

Note For optimum migration times, We recommend that you upgrade Firepower Management Center to the suggested release version provided here: software.cisco.com/downloads.

Supported Firepower Management Center Versions for source Check Point Firewall Configuration For Check Point firewall, the Firepower Migration Tool supports migration to a Firepower Threat Defense device managed by a Firepower Management Center that is running version 6.2.3.3 or later.

Supported Firepower Management Center Versions for source PAN Firewall Configuration For PAN firewall, the Firepower Migration Tool supports migration to a Firepower Threat Defense device managed by a Firepower Management Center that is running version 6.2.3.3 or later.

Supported Firepower Threat Defense Versions The Firepower Migration Tool recommends migration to a device that is running Firepower Threat Defense, version 6.2.3 and later. For detailed information about the Cisco Firepower software and hardware compatibility, including operating system and hosting environment requirements, for Firepower Threat Defense, see the Cisco Firepower Compatibility Guide.

Migration Workflow

Note Beginning with release 2.0, the Firepower Migration Tool supports migrating Check Point configuration (r75–r77.30) to FTD. From release 2.2, the Firepower Migration Tool supports migrating Check Point configuration (r80–r80.40) to FTD. Remember this important tip as part of the Migration workflow.

Note Beginning with release 2.1, the Firepower Migration Tool supports migration of Palo Alto Networks (PAN) firewall configuration to FTD. Please note this important tip as part of the Migration workflow.

For ASA You can obtain ASA configuration items for migration by following one of the following methods: • Manual Upload Method: In single context mode, use the show run command to obtain the ASA configuration. In multi-context mode, use the show tech command to obtain ASA configuration. • Connect to the ASA from the Firepower Migration Tool: In a multi-context ASA, select the context to migrate after connecting to the ASA and select a target Firepower Threat Defense device. When you complete migration of the first context, repeat the steps to migrate other contexts - connect to the ASA, select the context to be migrated, and select a target Firepower Threat Defense device.

Firepower Migration Tool Release Notes 5 Welcome to Firepower Migration Tool Firepower Migration Tool Features

For Check Point Firewall r77 You can obtain Check Point configuration items for migration only through the manual upload method. To collect the Check Point configuration through a manual upload method, do the following: • Export Configuration using the Check Point Web Visualization Tool (WVT): Open the command prompt window to the directory where WVT is saved and extracted, and execute the following command to obtain the Check Point configuration: C:\Web_Visualisation_Tool> cpdb2web.exe [-s management_server] [-u admin_name | -a certificate_file] [-p password] [-o output_file_path] [-t table_names] [-c | -m gateway | -l package_names] [-gr] [-go] [-w Web_Visualization_Tool_installation_directory]

• Export Device configuration using the FMT-CP-Config-Extractor_v2.2.4792 Tool: Open the FMT-CP-Config-Extractor_v2.2.4792 Tool, which is a Windows executable file (.exe), on the workstation that has access to the Check Point Security Gateway. To execute or run the extractor file, see FMT-CP-Config-Extractor_v2.2.4792 Tool. • Zip the Exported Files: Select all the eight files (seven from the Web Visualization Tool (WVT) and one .TXT file from the FMT-CP-Config-Extractor_v2.2.4792 Tool) and compress them to a zip file. If you must extract information from a Check Point for r77 using the Firepower Migration Tool, see Export the Check Point Configuration Files for r77.

For Check Point Firewall r80 We recommend that you use Live Connect for extracting the Check Point (r80) configurations. For more information, see Export the Check Point Configuration Files for r80. For Palo Alto Networks Firewall The configuration must be extracted from the gateway if your device is managed by panorama. Merge the panorama configuration with the gateway and extract the configuration. For more information, see Export the Configuration from Palo Alto Networks Firewall.

Firepower Migration Tool Features The Firepower Migration Tool provides the following features: • Validation throughout the migration, including parse and push operations • Object re-use capability • Object conflict resolution • Interface mapping • Auto-creation or reuse of interface objects (ASA nameif to security zones and interface groups mapping) • Auto-creation or reuse of interface objects • Auto-zone mapping • Support to create user-defined security zone and interface-group • Support to create user-defined security zone

Firepower Migration Tool Release Notes 6 Welcome to Firepower Migration Tool Migration Reports

• Subinterface limit check for the target Firepower Threat Defense device • Platforms supported —Virtual ASA to Virtual FTD —Same hardware migration (X to X device migration) —X to Y device migration (Y having higher number of interfaces)

Migration Reports The Firepower Migration Tool provides the following reports in HTML format with details of the migration: • Pre-Migration Report • Post-Migration Report

Platform Requirements for the Firepower Migration Tool The Firepower Migration Tool has the following infrastructure and platform requirements: • Windows 10 64-bit operating system or on a macOS version 10.13 or higher • Google Chrome as the system default browser • A single instance of the Firepower Migration Tool per system • Firepower Management Center and Firepower Threat Defense must be version 6.2.3.3 or later

Note Remove the previous build before downloading the newer version.

Documentation The following documentation is provided with this release: • Firepower Migration Tool Release Notes • Migrating ASA to Firepower Threat Defense with the Firepower Migration Tool • Migrating Check Point Firewall to Firepower Threat Defense with the Firepower Migration Tool • Migrating Palo Alto Networks Firewall to Firepower Threat Defense with the Firepower Migration Tool • Navigating the Cisco Firepower Migration Tool Documentation • Cisco Firepower Migration Tool Compatibility Guide • Cisco Firepower Migration Tool Error Messages • Open Source Used in Cisco Firepower Migration Tool

Firepower Migration Tool Release Notes 7 Welcome to Firepower Migration Tool Open and Resolved Bugs

Open and Resolved Bugs The open bugs for this release can be accessed through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.

Note You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account on Cisco.com. For more information on Bug Search Tool, see Bug Search Tool Help.

Use these dynamic queries for an up-to-date list of open and resolved caveats in Firepower Migration Tool: • Open Caveats • Closed Caveats

Firepower Migration Tool Release Notes 8 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)