Prepare for Migration
General Prerequisites
-
See Supported Migration Paths to determine which target model you can migrate to from your source model.
-
Management center model migration supports all management center licensing modes, including evaluation, connected, and Specific License Reservation (SLR).
-
Ensure that the target management center has the same number of interfaces as your source management center.
-
Verify that the target management center version matches the source management center version (including patch,Vulnerability Database [VDB], Lightweight Security Package [LSP], and Snort Rule Update [SRU]). To verify, in each management center choose Help > About.
-
Verify that all the pending deployments are completed successfully.
-
Configure the backup file in the source management center:
-
Choose System (
) > Backup/Restore.
-
Click the Backup Mangement tab and click Firewall Mangement Backup.
-
Check the following check boxes:
-
Back Up Configuration
-
Backup Events
-
Backup Threat Intelligence Director
-
-
-
Confirm that you have the correct number of threat defense entitlements in Cisco Smart Software Manager (CSSM).
-
If a management center migrates to a higher platform and manages more threat defense devices, you must acquire the required licenses for the additional threat defense devices.
-
If the source management center is Unified Capabilities Approved Products List (UCAPL) compliant or Common Criteria (CC) compliant, after migration, the target management center will also be UCAPL or CC compliant.
-
For management center HA migrations:
-
If the target management centers are in HA, you must pause the synchronization in the target management centers before the migration.
-
Ensure that you meet all the HA requirements. For more information, see:
-
For versions 6.5 to 7.1, see the Requirements for Firepower Management Center High Availability topic in the Firepower Management Center Configuration Guide.
-
For Version 7.2 and later, see the Requirements for Management Center High Availability topic in the Cisco Secure Firewall Management Center Administration Guide.
-
-
-
After migration, you must deregister the licenses from the source management center and register the licenses in the target management center.
-
After migration, if you want to manage a different group of threat defense devices in the source management center:
-
Ensure that source management center cannot reach the stale threat defense devices.
-
Delete the stale devices that are now managed by the target management center.
Note
If the source management center can reach the stale devices, these devices will be deregistered from the target management center.
-
-
When you migrate a management center virtual (FMCv) to another management center virtual within a public cloud, we recommend the following:
-
Use reserved static public IP addresses instead of default public IP addresses.
-
Use FQDN/DNS name because it can be moved across the public IP addresses.
-
If you do not want to update the public IP address of the target management center virtual, run the following command in the threat defense device CLI:
configure manager add DONTRESOLVE any_key any_key_for_nat_field_input
Before you run the above command, ensure that the management center virtual can connect to the threat defense device.
-
If you do not perform the above operations, you must update the management center virtual IP address on the threat defense device using the following command in the threat defense device CLI:
configure manager edit fmc_uuid displayname fmc_ipaddress
-
Prerequisites for Migrating Management Center 1000, 2500, or 4500 to Management Center 1700, 2700, or 4700
-
Ensure that Management Center 1000, 2500, or 4500 and all the corresponding managed threat defense devices are Version 7.0.x.
We recommend that you use Version 7.0.5.
-
Upgrade Management Center 1000, 2500, or 4500 from Version 7.0.x to Version 7.4.0 or 7.4.2. This upgrade is only for migration.
You can download the upgrade package from here: Special Release. Unzip (but do not untar) the upgrade package before uploading it to the on-prem management center.
For more information about the upgrade, see the Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0
Prerequisites for Migrating Management Center 1600, 2600, or 4600 to Management Center 1700, 2700, or 4700
-
Upgrade Management Center 1600, 2600, or 4600 to 7.4.x. For more information about upgrade, see Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center.
-
Ensure that the source management center manages only threat defense devices with Version 7.0.x.
Prerequisites for Migrating Management Center 4600 to Management Center Virtual 300 (FMCv300) for AWS
-
Note that Management Center Virtual 300 has lower limits than Management Center 4600. We recommend that you refer to the following table before you migrate.
Table 1. Compatibility Check for Migrating Management Center 4600 to Management Center Virtual 300 for AWS Performance and Functionality
Management Center 4600 (Current Configuration)
Management Center Virtual 300 (Maximum Limit)
Overall size (Event Storage Space) 3.2 TB 2 TB Total devices 750 300 Maximum IPS events 300 million 60 million Memory 128 GB 64 GB CPU Two Intel Xeon 4214 processors 32 vCPUs Maximum network map size (hosts/users) 600,000/600,000 150,000/150,000 Maximum event rate (events per second) 20,000 eps 12,000 eps -
Ensure that the source Management Center 4600 and the target Management Center Virtual 300 for AWS are Version 7.4.x.
-
Ensure that Management Center Virtual 300 for AWS has a license.
-
From Version 7.4.x, after migration, you must update the following parameters:
-
IP address of the target management center
-
Manager details in all the managed threat defense devices. For more information, see Update the Management Center IP Address or Hostname on the Threat Defense Device.
-
Limitations for Migrating Management Center 1000/2500/4500/1600/2600/4600 to Management Center 1700/2700/4700
-
For the migration, you can upgrade Management Center 1000, 2500, or 4500 only from Version 7.0.x to 7.4.x. Upgrades from 7.0.x to 7.1.x, 7.2.x, or 7.3.x are not available.
-
You cannot use Management Center 1000, 2500, or 4500 with Version 7.4.x to manage threat defense devices. Upgrades from 7.0.x to 7.4.x support only migration to Management Center 1700, 2700, or 4700.
-
You cannot migrate Management Center 1000, 2500, 4500, 1600, 2600, or 4600 that manage the following types of devices:
-
Any threat defense device earlier than Version 7.0.x.
-
NGIPSv or FirePOWER services.
-