Event and Analytics Management options during Firewall Threat Defense migration

The events and analytics management can be retained in the on-premises Firewall Management Center or transferred to Security Cloud Control Firewall Management, where the devices must be configured to send events to Security Cloud Control Firewall Management.

While initiating the migration process, you are allowed to choose the manager where the device events must be sent for analytics:

  • Retain analytics on the on-premises Firewall Management Center, or

  • Transfer analytics to Security Cloud Control Firewall Management.

Special requirement for FMC 1000/2500/4500

If you are migrating from an on-premises Firewall Management Center 1000/2500/4500, you cannot retain analytics on the on-premises Firewall Management Center due to limited availability.

In this case, devices must send events to:

  • Security Analytics and Logging (On-Prem), or

  • Security Analytics and Logging (SaaS).

See Cisco Security Analytics and Logging.

If you retain on-premises Firewall Management Center for analytics

  • Security Cloud Control Firewall Management becomes the configuration manager.

  • The devices remain on the on-premises Firewall Management Center in analytics-only mode.

  • Devices continue sending events to the on-premises Firewall Management Center.

  • Security Cloud Control Firewall Management manages configuration changes only.

Note

The maximum number of supported Secure Firewall Threat Defense devices in Cloud-Delivered Firewall Management Center includes devices that are deployed for analytics on Firewall Management Center and onboarded to Cloud-Delivered Firewall Management Center for management. These devices count toward the platform device capacity limit and must be included in your capacity planning to ensure proper sizing and performance.

If you select Security Cloud Control Firewall Management for analytics

  • Secure Firewall Management Center becomes both:

    • Configuration manager, and

    • Analytics manager.

  • The devices are removed from the on-premises Firewall Management Center.

  • You must configure the devices to send events to the Cisco cloud.

  • Events can be sent using:

    • Security Services Exchange (SSE), or

    • Secure Event Connector (SEC)

  • Events are processed by Cisco Secure Analytics and Logging (SAL) in the cloud.

Note

If you initially select on-premises Firewall Management Center for analytics, you have a 14-day evaluation period during which you can change the analytics destination to Secure Firewall Management Center.

After either:

  • Manually committing the migration, or

  • The 14-day evaluation period expires, the analytics selection becomes permanent. Events will continue to be sent to the selected destination, and the setting cannot be changed.

To modify analytics settings after the evaluation period or after commit, refer to the migration troubleshooting procedures. see Resolving Firewall Threat Defense Migration to Cloud-Delivered Firewall Management Center Issues

eStreamer Server Streaming

When you manage a Firewall Threat Defense device with Cloud-Delivered Firewall Management Center, the device supports sending only fully-qualified events (FQE) to eStreamer clients. If you have configured eStreamer clients in the on-premises Firewall Management Center, ensure that the clients support the detailed data formats used by FQE when you migrate the device management to Cloud-Delivered Firewall Management Center. Any legacy clients, security information and event management (SIEM) systems, or log management solutions that do not support the data format of FQE or lack the necessary storage to handle the larger volume of FQE data will not work when you migrate.