From FMCv10 to FMC2700

It is more then strange, but if you buy a new Cisco FMC1700/2700/4700 management server appliance today and want to migrate configuration from virtual FMCv2/10/25 to it, you’ll quickly find that there is no supported migration path.

This was also confirmed me by a TAC engineer.
Cisco really does not support direct migration from FMCv (versions 2/10/25) to FMC 1700/2700/4700 hardware appliances.
Only paths from FMCv to older appliances FMC1600/2600/4600 and from FMC 1600/2600/4600 to newer FMC 1700/2700/4700 are supported.

We had 3 options:

Migrate manually
Crack migration script to allow direct path
Use middle-step with FMC 2600 appliance

As an option 1 was extremely laborious in our case,
and option 2 was explicitly not recommended by TAC (with risk of side effects),
we went with option 3.

So I’d like to share some notes from such migration.

Our path

We were lucky to borrow an older FMC2600 server, so our path was:

FMCv10 —> FMC2600 —> FMC2700

Our plan was to completely prepare new FMC2700 offsite:

Replicate production FMCv10 (standard restore from backup) in LAB environment (without connectivity to production FTD devices)
Migrate FMCv10 to FMC2600 by script
Migrate FMC2600 to FMC2700 by script

And then in the day of migration continue onsite with:

Deregister FMCv10 from Cisco Smart account
Turn-off FMCv10
Turn-on FMC2700
Register FMC2700 to Cisco Smart account
Test deployment

I had following concerns before action:

Will be necessary to deploy to FTDs in the middle-step? (from FMC2600)
Will stay FTDs devices connected after migration? Or will we somehow supposed to recover connectivity?
Will be first deployment from new FMC2700 to FTDs safe? without any unwanted changes?

Documentation didn’t address my concerns. So that’s also the reason I share my memories.

Notes to LAB environment

We had to create LAB network environment as in production - if we want to connect to restored FMCv10
We isolated LAB environment from outside world - we did not want to allow restored FMC to contact Cisco Smart portal
We added test FTDv to restored FMCv10 to see, if it will survive two migration steps - our canary in coal mine ;)
We followed official cisco guide
all devices (FMCv10, FMC2600, FMC2700) were on the same 7.4.2 version and patch

Observations and experience

As there was not pending deployments while backup production FMCv10 (required), there was no need to deploy right after migration by script (nothing to deploy)

Test FTDv (our canary) was ‘always-on’ so no trouble with any reconnecting of FTD. The same with production FTDs after we turned on FTD2700 onsite. Sftunnels survived both migrations.

There was not possible to test deployment to test FTDv after migration (with some small change), because missing licenses in LAB FMC.

We shuted down source FMC after copying backup file to destination FMC and then start the script (documentation says to disconnect destination FMC during running script, but only reason is to avoid IP address conflict)

backup file on destination FMC must be in exactly in folder /var/sf/backup/, otherwise script will fail.

If you do not need to migrate events do not do it (documentation requires it, but it takes much more time. Migration works well even without events migration)

Unregistration of old FMCv10 and registration of new FMC2700 was straightforward. The only small issue was that after registration, we had to manually assigned licenses to devices. They somehow lose Thread licenses.

We compared LINA configuration before and after deployment from new FMC2700 to be sure, that there were no changes. they were identical.

Script output.

For reference I attach outputs from scripts:

*** FMCv10 —> FMC2600 ***

root@firepower:/Volume/home/admin# /var/sf/bin/sf-migration.pl /var/sf/backup/FMC_before_migration-2025-09-09T05-45-14.tar
Untaring /var/sf/backup/FMC_before_migration-2025-09-09T05-45-14.tar to read ims.conf
Source Model = Secure Firewall Management Center for VMware Target Model = Secure Firewall Management Center 2600 
Model migration path Secure Firewall Management Center for VMware to Secure Firewall Management Center 2600 exists 



 ******************WARNING: This script will modify the management IP address of this Firepower Management Center using the configurations from the backup file. Ensure that the source Firepower Management Center is disconnected from the network to avoid IP conflict.*********************


Are you sure you want to continue (Y/N)Y
Migration is in progress. Please check the logs at /var/log/restore.log
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Broadcast message from root@firepower (Tue Sep  9 06:38:25 2025):

The system is going down for reboot NOW!

*** FMC2600 —> FMC2700 ***

root@firepower:/Volume/home/admin# /var/sf/bin/sf-migration.pl /var/sf/backup/FMC2600-FMC2700-2025-09-09T06-49-26.tar 
Untaring /var/sf/backup/FMC2600-FMC2700-2025-09-09T06-49-26.tar to read ims.conf
Source Model = Secure Firewall Management Center 2600 Target Model = Secure Firewall Management Center 2700 
Model migration path Secure Firewall Management Center 2600 to Secure Firewall Management Center 2700 exists 



 ******************WARNING: This script will modify the management IP address of this Firepower Management Center using the configurations from the backup file. Ensure that the source Firepower Management Center is disconnected from the network to avoid IP conflict.*********************


Are you sure you want to continue (Y/N)Y
Migration is in progress. Please check the logs at /var/log/restore.log
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Broadcast message from root@firepower (Tue Sep  9 07:07:20 2025):

The system is going down for reboot NOW!

Conclusion

Overall, the migration was smooth and the script proved tolerant of our setup. No big surprises. No issue after deployment from new FMCs.

Our path#

Notes to LAB environment#

Observations and experience#

Script output.#

Conclusion#

Our path

Notes to LAB environment

Observations and experience

Script output.

Conclusion