What good looks like after a Cisco ASA → Cisco Firepower migration
Typical Firepower replacing an ASA at similar £-band.
Single firewall site cutover with rule conversion + validation.
End-to-end for a 10-30 site estate.
No vendor change — existing Cisco skills, support contracts, tooling all preserved.
Why UK organisations migrate from Cisco ASA to Cisco Firepower
- ✓ASA reached EoS — same-vendor refresh maintains Cisco operational continuity
- ✓Native integration with Cisco Catalyst networking + ISE + DNA Center + Umbrella
- ✓Snort 3 IPS + AMP for Networks + URL filtering + AVC built-in
- ✓Cisco DNA Subscription bundles centralised management + licensing
- ✓Single-pane FMC (Firepower Management Center) across the fleet
- ✓Existing Cisco TAC + Smart Net Total Care continuity
Migration phasing — typical Cisco ASA → Cisco Firepower programme
- 1
Discovery + rule analysis
Weeks 1-3ASA config extraction; Firepower Migration Tool (FMT) conversion; per-site sizing; FMC architecture design; ISE + Umbrella + DNA Center integration design.
- 2
Firepower platform build
Weeks 4-7Hardware delivery; FMC deployment + clustering; central policy templates; access policies + intrusion + URL + AMP policies configured; integration testing.
- 3
Pilot site cutover (1-3 sites)
Weeks 8-9Non-critical sites cutover with on-site engineer; rollback rehearsal; functional + performance validation; user acceptance.
- 4
Phased site cutover
Weeks 10-15Remaining sites cutover in waves; rollback option preserved 24h post-cutover; ITSM tracked.
- 5
ASA decommission
Week 16Final sites cutover; ASA hardware decommissioned; FMC + Smart Net Total Care operational handover.
What Servnet delivers in a Cisco ASA → Cisco Firepower migration
Firepower Migration Tool (FMT)
Free Cisco tooling — we run + validate + remediate the converted ruleset before any cutover.
Hardware procurement
<a href="/cisco/products">Firepower 1100 / 2100 / 3100 / 4100 / 9300 series</a> sized per site — quoted at vendor-direct pricing.
FMC + FMC HA deployment
Centralised management with HA + DR-paired FMC where the estate size warrants.
Cisco DNA Subscription licensing
Essentials / Advantage / Premier sized to feature requirements.
ISE / Umbrella / DNA integration
Identity-aware policy enforcement + DNS security + topology integration.
Per-site cutover runbook
Each site gets a runbook with cutover steps, rollback triggers, validation tests.
Top risks + how we mitigate them
Indicative: ASA → Firepower migrations for a 10-30 site estate typically run £30k-£70k professional services (excluding Firepower hardware + DNA Subscription licences). Total programme cost typically 30-50% above equivalent FortiGate alternative, justified by Cisco operational continuity + ecosystem integration. Talk to us for a sized commercial proposal modelling both options.
FAQs — Cisco ASA → Cisco Firepower
Should we stay with Cisco or move to FortiGate?
If your network estate is Cisco-led (Catalyst switches, ISE, DNA Center, Umbrella, Webex) the same-vendor continuity often outweighs FortiGate's pricing advantage. If your network estate is mixed-vendor or already moving toward best-of-breed, FortiGate is the typical winner.
What's the difference between Firepower 1100 / 2100 / 3100 / 4100 / 9300?
1100-series is small branch (up to 4 Gbps); 2100-series is mid-branch; 3100-series is medium enterprise; 4100-series is data centre; 9300-series is service-provider chassis. We size per-site during discovery.
Will Cisco TAC continue covering the migrated estate?
Yes — Smart Net Total Care (SNTC) coverage moves to the Firepower hardware. Existing Cisco TAC relationships continue without interruption.
Can we cluster Firepower for high throughput?
Yes — Firepower supports inter-chassis clustering on 4100 + 9300 platforms, plus active/active failover on 3100 + 4100. Sized appropriately during discovery.
Ready to scope your Cisco ASA → Cisco Firepower migration?
30-minute discovery call with an engineer who's run this migration before. Honest scoping, no sales script.
Book a scoping call →