Cisco Firepower Threat Defense (FTD) High Availability (HA) configurations provide critical network security redundancy by pairing two FTD devices that work together to ensure continuous protection. In an HA setup, one device operates as the primary unit handling traffic while the secondary unit remains in standby, ready to take over seamlessly if the primary fails. This configuration eliminates single points of failure and maintains uninterrupted network security enforcement.
Organizations frequently need to migrate these HA FTD pairs between Firepower Management Centers (FMCs) for various operational reasons. Common scenarios include consolidating management infrastructure to reduce complexity, upgrading to newer FMC hardware or software platforms, restructuring security architecture across data centers, or replacing aging management systems.
Modern FTD devices support auto-registration, which allows them to automatically connect to designated FMCs using pre-configured parameters. Crucially for HA migrations, this feature enables the migration of HA pairs without breaking the established High Availability relationship. Both devices can be migrated as a functional unit, preserving their synchronized configurations and failover capabilities rather than requiring administrators to dissolve and rebuild the HA pair from scratch.
In this blog post, we'll explain how to migrate an FTD HA pair from one FMC to another using the auto-registration feature.
Version compatibility: Before beginning the migration process, several compatibility checks and preparation steps are essential to ensure a smooth transition.
Create FMC Backup: Before proceeding with any migration activities, create a complete backup of your current FMC configuration. This serves as your safety net should any issues arise during the migration process.
Export Device Configuration: Navigate to Device > Device Management, select your target device, then access the Device tab and click Export to export your device settings. The file contains critical device configuration information such as IP addresses, security zones, static routes, and other device settings. Without this file, you will have to manually reconfigure these details on the new FMC.
Export Device Policies: Navigate to System > Tools > Import/Export to export critical policy configurations like access control policies, platform settings, NAT policies, and other essential policies. This file is indispensable for the migration since these policies are not migrated over to the new FMC automatically.
Import Device Policies: On the destination FMC (in Light theme), navigate to System > Tools > Import/Export and select Upload Package to import the previously exported policies. It is recommended to complete this step before the FTD HA Pair is migrated, since the policies can be associated with the FTD HA Pair upon registration.
Verify Import Success: Take a moment to confirm the import completed 100% successfully!
Remove S2S Connections: Disassociate any existing Site-to-Site VPN connections on the source FMC from the FTD HA Pair prior to unregistration. If you have S2S VPNs that must be migrated along with the FTD HA Pair, unfortunately these configurations are not exportable using an existing FMC feature, and will need to be manually rebuilt on the destination FMC.
Unregistering an HA pair from the FMC has several important characteristics:
Unregister from Source FMC: Navigate to Devices > Device Management, select the HA Pair, and click More > Unregister, then confirm by clicking Yes. This cleanly removes the HA pair from the source FMC's management scope while preserving traffic processing capabilities.
Important - Business Impact Warning: When registering the pair to the Destination FMC, the existing configuration will be removed, causing the pair to temporarily stop processing traffic. This traffic interruption has significant business implications that require careful planning:
Configure Manager Connection: On the primary unit's CLI, execute the following command to add the source FMC as a manager. The Registration Key can be whatever you want:
configure manager add <FMC_IP_Address> <Registration_Key>The registration status will initially show as 'pending' until completed through the GUI.
Complete GUI Registration: On the destination FMC, navigate to Devices > Device Management, then click Add > Device. You only need to add the primary unit as the FMC will automatically discover the secondary unit. During registration, you'll need to provide the Host IP address, Display Name, Registration Key, and select an Access Control Policy. The system also provides options for Smart Licensing configuration and performance tier selection for virtual FTD deployments.
Import Device Configuration: Navigate to Device > Device Management, select your target device, then access the Device tab and click Import to export your device settings. This will restore critical configuration like IP addresses, security zones, static routes, and other device settings.
Add S2S Connections: If you have pre-built S2S VPN connections on the destination FMC, these can be associated with the new FTD HA Pair.
Deploy Configuration: Push all configuration changes to the FTD devices. Monitor the deployment process to ensure successful completion.
Verify: Validate that network traffic passes through the FTD devices correctly, including, if applicable, VPN traffic, and that security policies are actively enforcing. If possible, confirm HA functionality by performing a brief failover test to ensure the HA pair switches properly between primary and secondary units.
Migrating HA FTD devices between FMCs requires careful planning and systematic execution, but following this structured approach minimizes risks and downtime. The key to success lies in thorough preparation, methodical execution of each phase, and comprehensive verification of functionality.
By maintaining version compatibility, properly exporting and importing configurations, and following the structured migration phases, you can successfully transition your HA FTD management while preserving your security posture and network connectivity.
Remember that while this process typically takes around 30 minutes total, it is prudent to allow additional time for testing and verification to ensure a robust migration that maintains your organization's security standards.
Please reach out with any questions/comments you might have.