🔄 ASA to FTD Migration Lab

Migrating High Availability ASA Pairs to FTD in ICS Purdue Security Model

🎯 Welcome to ASA to FTD Migration Lab

💡 Key Learning Objective

Master the migration from traditional ASA high availability pairs to next-generation FTD firewalls while maintaining ICS security compliance and zero-downtime operations.

🎓 What You'll Learn

  • Design and implement FTD high availability clusters for ICS environments
  • Migrate security policies from ASA to FTD with minimal service disruption
  • Configure Purdue security model zones and access controls on FTD
  • Implement advanced threat protection and intrusion prevention
  • Establish monitoring and logging for industrial security compliance
  • Validate security posture and performance post-migration
  • Troubleshoot common migration challenges and FTD configuration issues

🏭 Lab Environment Overview

This lab simulates a typical industrial control system (ICS) environment following the Purdue security model with three critical security zones requiring high availability firewall protection. You'll work with existing ASA HA pairs protecting Level 2 (Control), Level 3 (Operations), and Level 4 (Enterprise) networks, migrating them to modern FTD platforms while maintaining operational continuity.

⚠️ Safety Notice: This lab involves critical security infrastructure changes. In production environments, always coordinate with operations teams, implement changes during maintenance windows, and maintain rollback procedures.

🚀 Ready to Begin?

Click through the tabs above to progress through the migration journey. Each section builds upon the previous, so complete them in order for the best learning experience.

🏗️ Network Topology & Architecture

📐 Current ASA Deployment

                     Internet
                        |
                   [Edge Router]
                        |
               ┌─────────────────────┐
               │   ASA Pair #1 (HA)  │ ← Level 4 (Enterprise DMZ)
               │  Primary: 10.1.1.2  │
               │ Secondary: 10.1.1.3 │
               └─────────────────────┘
                        |
                ┌─────────────────────┐
                │   ASA Pair #2 (HA)  │ ← Level 3 (Operations)
                │  Primary: 10.2.1.2  │
                │ Secondary: 10.2.1.3 │
                └─────────────────────┘
                        |
                ┌─────────────────────┐
                │   ASA Pair #3 (HA)  │ ← Level 2 (Control)
                │  Primary: 10.3.1.2  │
                │ Secondary: 10.3.1.3 │
                └─────────────────────┘
                        |
               [PLC/HMI/SCADA Networks]

🎯 Target FTD Deployment

                     Internet
                        |
                   [Edge Router]
                        |
               ┌─────────────────────┐
               │   FTD Pair #1 (HA)  │ ← Level 4 (Enterprise DMZ)
               │  Primary: 10.1.1.4  │   + Advanced Threat Protection
               │ Secondary: 10.1.1.5 │   + IPS/Malware Detection
               └─────────────────────┘   + File Analysis
                        |
                ┌─────────────────────┐
                │   FTD Pair #2 (HA)  │ ← Level 3 (Operations)
                │  Primary: 10.2.1.4  │   + Industrial Protocol Inspection
                │ Secondary: 10.2.1.5 │   + Anomaly Detection
                └─────────────────────┘   + Asset Discovery
                        |
                ┌─────────────────────┐
                │   FTD Pair #3 (HA)  │ ← Level 2 (Control)
                │  Primary: 10.3.1.4  │   + Strict Access Control
                │ Secondary: 10.3.1.5 │   + Protocol Validation
                └─────────────────────┘   + Real-time Monitoring
                        |
               [PLC/HMI/SCADA Networks]

🔴 Current ASA Limitations

  • Basic stateful inspection only
  • Limited application awareness
  • No advanced threat protection
  • Manual policy management
  • Limited industrial protocol support

🟢 FTD Advantages

  • Next-generation firewall capabilities
  • Advanced malware protection
  • Industrial protocol inspection
  • Centralized management via FMC
  • Real-time threat intelligence

💡 Architecture Key Points

The Purdue model's layered approach requires different security policies at each level. Level 2 (Control) needs the strictest controls with protocol validation, Level 3 (Operations) requires industrial protocol awareness, and Level 4 (Enterprise) needs advanced threat protection for business systems integration.

📋 Prerequisites & Requirements

🔧 Hardware Requirements

1

FTD Hardware Specifications

  • Level 4 (Enterprise): FTD 2120 or higher (2Gbps throughput)
  • Level 3 (Operations): FTD 1140 or higher (1Gbps throughput)
  • Level 2 (Control): FTD 1120 or higher (750Mbps throughput)
  • Management: FMC 1000v or physical FMC appliance

📚 Knowledge Prerequisites

  • Understanding of Cisco ASA configuration and management
  • Familiarity with high availability concepts and failover mechanisms
  • Knowledge of industrial control systems and operational technology
  • Understanding of the Purdue security model and zone segmentation
  • Basic knowledge of SCADA, PLC, and HMI systems
  • Network security principles and access control concepts
  • Experience with Cisco CLI and configuration management

🛠️ Software Requirements

2

Software Versions

  • Current ASA: Firmware 9.2.10 (as specified)
  • Target FTD: Version 7.2.0 or later
  • FMC: Version 7.2.0 or later
  • Migration Tools: Cisco ASA to FTD Migration Tool 2.1

🔑 Access Requirements

3

Administrative Access

  • Administrative access to all ASA devices
  • Console access to FTD devices
  • FMC administrator credentials
  • Network change approval and maintenance window
  • Backup and rollback procedures documented
⚠️ Critical Note: Ensure all configurations are backed up before beginning migration. Have rollback procedures ready and tested in case of issues.

📊 Migration Planning & Strategy

🗓️ Migration Approach

1

Parallel Migration Strategy (Recommended)

Deploy FTD pairs alongside existing ASA pairs, allowing for thorough testing and gradual traffic cutover. This approach minimizes risk and allows for quick rollback if issues arise.

🔄 Migration Phases

  • Phase 1: Deploy and configure FTD Level 4 (Enterprise)
  • Phase 2: Deploy and configure FTD Level 3 (Operations)
  • Phase 3: Deploy and configure FTD Level 2 (Control)
  • Phase 4: Parallel testing and validation
  • Phase 5: Traffic cutover and ASA decommission
2

Sequential Migration Strategy

Replace ASA pairs one at a time, starting from the enterprise level and working down to control level. Higher risk but uses fewer resources during migration.

3

Staged Migration Strategy

Migrate specific services and VLANs gradually while maintaining ASA pairs for critical operations. Longest timeline but lowest operational risk.

📋 Pre-Migration Assessment

4

Current State Analysis

Before beginning migration, conduct a thorough analysis of your current ASA configurations:

show running-config | include object-group show running-config | include access-list show running-config | include nat show running-config | include failover show interface summary show version show failover

🔍 Migration Readiness Checklist

  • Network topology documented and validated
  • Current ASA configurations exported and analyzed
  • FTD hardware procured and racked
  • FMC deployed and accessible
  • IP addressing scheme planned for FTD devices
  • Maintenance window scheduled and approved
  • Rollback procedures documented and tested
  • Stakeholder communication plan in place

💡 Planning Best Practice

Always start with the least critical systems first to gain experience with the migration process. However, in ICS environments, Level 2 (Control) is often the most critical, so extensive testing at Level 4 (Enterprise) is essential before proceeding.

⚙️ Implementation Steps

🎛️ FMC Initial Setup

1

Configure Firewall Management Center

Start by setting up the FMC with proper licensing and initial configuration:

# FMC Initial Configuration configure network ipv4 manual 192.168.100.10 255.255.255.0 192.168.100.1 configure network dns 8.8.8.8 8.8.4.4 configure network hostname FMC-ICS-Primary configure network domain ics.company.local configure time-sync ntp 192.168.100.100

🔥 FTD Device Registration

2

Register FTD Devices with FMC

Register each FTD device with the management center. This example shows Level 4 (Enterprise) pair registration:

# On FTD Primary (Level 4) configure manager add 192.168.100.10 cisco123 configure manager add 192.168.100.10 cisco123 <NGFW_REGISTRATION_KEY> # On FTD Secondary (Level 4) configure manager add 192.168.100.10 cisco123 configure manager add 192.168.100.10 cisco123 <NGFW_REGISTRATION_KEY>

🔗 High Availability Configuration

3

Configure FTD HA Clustering

Set up high availability between FTD pairs for each Purdue level:

# FTD HA Configuration (via FMC) # Device > High Availability > Add HA Pair Primary Device: FTD-L4-Primary (10.1.1.4) Secondary Device: FTD-L4-Secondary (10.1.1.5) HA Link Interface: GigabitEthernet0/1 Data Link Interface: GigabitEthernet0/2 Stateful Failover: Enabled Preemption: Disabled (recommended for production)

🛡️ Security Policy Migration

4

Migrate Access Control Policies

Convert ASA access-lists to FTD access control policies with enhanced capabilities:

# Example ASA to FTD Policy Translation # ASA Configuration: # access-list LEVEL3_IN extended permit tcp 10.2.0.0 255.255.0.0 10.3.0.0 255.255.0.0 eq 502 # FTD Access Control Policy: Name: ICS-Level3-to-Level2-Access Rule Action: Allow Source Networks: Level3-Operations-Net (10.2.0.0/16) Destination Networks: Level2-Control-Net (10.3.0.0/16) Source Ports: Any Destination Ports: Modbus-TCP (502) Application: Modbus Intrusion Policy: ICS-Strict File Policy: Industrial-File-Policy

🏭 Industrial Protocol Configuration

5

Configure ICS Protocol Inspection

Enable deep packet inspection for industrial protocols:

# ICS Protocol Preprocessors Configuration # Policies > Access Control > Advanced > Preprocessors DNP3 Preprocessor: - Check CRC: Enabled - Check Link Layer: Enabled - Maximum Link Layer Frame Size: 260 Modbus Preprocessor: - Check Protocol ID: Enabled - Check Unit ID: Enabled - Maximum ADU Length: 253 CIP Preprocessor (EtherNet/IP): - Check Connection Path: Enabled - Maximum CIP Service Requests: 100
⚠️ Configuration Warning: Industrial protocol inspection can impact performance. Test thoroughly and adjust inspection levels based on your environment's performance requirements.

🔍 Intrusion Prevention Tuning

6

Configure ICS-Specific IPS Policies

Create intrusion prevention policies tailored for industrial environments:

# ICS Intrusion Policy Configuration # Policies > Intrusion > Create New Policy Policy Name: ICS-Level2-Strict Base Policy: Security Over Connectivity Rules to Enable: - SCADA-* (All SCADA-related rules) - PROTOCOL-MODBUS-* (Modbus protocol rules) - PROTOCOL-DNP3-* (DNP3 protocol rules) - PROTOCOL-ICCP-* (ICCP protocol rules) - MALWARE-CNC-* (Command and control detection) Policy Name: ICS-Level3-Balanced Base Policy: Balanced Security and Connectivity Additional Rules: - FILE-EXECUTABLE-* (Executable file inspection) - SERVER-OTHER-* (Non-standard service detection)

📈 Traffic Cutover Process

7

Coordinated Traffic Migration

Execute the actual traffic cutover from ASA to FTD:

# Pre-cutover verification show high-availability show route show access-control-config # Coordinate with network team for routing changes # Update upstream router to point to FTD VIP addresses # Example: Change default route to point to 10.1.1.4 instead of 10.1.1.2 # Monitor during cutover show connection count show traffic show resource usage

🔄 Rollback Procedures

8

Emergency Rollback Process

If issues arise, quickly rollback to ASA configuration:

Emergency Rollback Steps:
  1. Immediately notify operations team
  2. Revert upstream routing to ASA addresses
  3. Verify ASA HA pair is still operational
  4. Test critical SCADA communications
  5. Document issues for post-mortem analysis

💡 Implementation Success Factor

Success depends on thorough pre-testing and having experienced ICS personnel monitoring critical systems during cutover. Never rush the migration timeline for convenience - industrial safety must always be the priority.

🔧 Troubleshooting Guide

🚨 Common Migration Issues

1

Registration Failures

Issue: FTD device fails to register with FMC

Error Message: "Registration failed: Unable to establish communication with manager"

Solution:

# Verify connectivity ping 192.168.100.10 # Check registration status show managers # Reset registration if needed configure manager delete configure manager add 192.168.100.10 cisco123 <NEW_KEY> # Verify time sync show ntp configure time-sync ntp 192.168.100.100
2

HA Failover Issues

Issue: FTD HA pair not establishing proper synchronization

# Troubleshoot HA status show high-availability show high-availability details show high-availability statistics # Common fixes: # 1. Verify interface configuration matches between peers # 2. Check HA link connectivity # 3. Validate identical software versions # 4. Ensure matching device models
3

Industrial Protocol Inspection Problems

Issue: SCADA communications blocked after FTD deployment

Symptoms: HMI timeouts, PLC communication errors, SCADA historian gaps
# Diagnose protocol inspection issues show asp drop show conn detail | grep 502 show access-list | grep SCADA # Temporary bypass for testing # In FMC: Policies > Access Control > Rules # Create bypass rule for critical SCADA traffic # Action: Allow, Inspection: None (temporary)

🔍 Performance Troubleshooting

4

Latency and Throughput Issues

Industrial systems are sensitive to latency changes. Monitor and optimize:

# Performance monitoring commands show resource usage show traffic show perfmon show memory show cpu usage # Optimization commands # Disable unnecessary inspection for time-critical protocols # Adjust connection limits # Tune TCP sequence randomization for industrial protocols
5

Policy Conflicts and Overlaps

Issue: Conflicting access control rules causing unexpected behavior

# Debug policy conflicts show access-control-config show rule-engine # Use FMC Policy Analyzer: # Analysis > Policy Analyzer # Import policy and check for conflicts # Review rule order and precedence

💡 Troubleshooting Best Practice

Always test with non-critical traffic first. Use packet captures to compare ASA vs FTD behavior for identical traffic flows. Keep detailed logs of all changes and their impacts on industrial systems.

✅ Verification & Testing

🔍 Connectivity Verification

1

Basic Connectivity Tests

Verify basic network connectivity across all Purdue levels:

# Test connectivity from FTD CLI ping 10.1.1.1 # Test Level 4 gateway ping 10.2.1.1 # Test Level 3 gateway ping 10.3.1.1 # Test Level 2 gateway # Test HA connectivity show high-availability ping high-availability-peer # Verify interface status show interface ip brief show route
Expected Result: All pings successful, HA peer reachable, interfaces up/up

🏭 Industrial Protocol Testing

2

SCADA/HMI Functionality Verification

Test critical industrial communication protocols:

Modbus TCP Testing (Port 502)

# From HMI workstation telnet PLC_IP_ADDRESS 502 # From FTD CLI - monitor traffic show conn detail | grep 502 show asp drop | grep modbus

DNP3 Testing (Port 20000)

# Test DNP3 communication # Monitor from SCADA master station show conn detail | grep 20000 show rule-engine | grep DNP3

📊 Performance Validation

3

Latency and Throughput Testing

Validate that FTD performance meets ICS requirements:

# Performance monitoring show resource usage summary show traffic summary show memory show cpu usage # Acceptable thresholds for ICS: # CPU Usage: <60% under normal load # Memory Usage: <70% # Interface Utilization: <50% # Latency: <10ms additional delay
Performance Targets: Latency increase <10ms, CPU <60%, Memory <70%

🛡️ Security Function Verification

4

Advanced Threat Protection Testing

Verify advanced security features are working correctly:

# Test intrusion prevention show intrusion-prevention statistics show malware-protection statistics # Test file inspection show file-policy statistics # Verify threat intelligence show threat-intelligence statistics # Check security events show events | grep intrusion

🔄 Failover Testing

5

HA Failover Validation

Test high availability failover scenarios:

⚠️ Coordinate with Operations: Schedule failover testing during maintenance windows to avoid disrupting critical processes.
# Planned failover test no failover active # Monitor failover process show failover show high-availability # Verify connectivity maintained # Test from HMI/SCADA workstations # Monitor for connection drops # Return to primary failover active
Success Criteria: Failover completes in <30 seconds, no connection drops >5 seconds

🧠 Knowledge Check

Test your understanding of ASA to FTD migration concepts and best practices:

1. In the Purdue security model, which level requires the most restrictive security policies?
2. What is the default port for Modbus TCP communication?
3. Which migration strategy offers the lowest operational risk?
4. What is the recommended CPU utilization threshold for FTD in ICS environments?
5. Which FTD feature provides the most significant security improvement over ASA for ICS environments?
6. What should be the maximum acceptable failover time for ICS environments?
7. Which component is required for centralized management of FTD devices?