Getting tired of working firewall CIS compliance for over 200 firewalls, I've been at it for years. Yes it's a slow process with change management, but now that one of the team members left I've been tasked with firewall refresh, standing up new hardware in parallel and migrating VLANs from the old ASA 5585 firewall to the new 4100 Running ASA. Still not quite to the FTD yet. had a 10 hour maintenance last weekend moving some 50 or so VLANs from one firewall to another updating routes and ACL's. but that's what I've been up to.
Oof, migrating configs is tedious stuff. Best of luck with that, hate to have to see you do it all again because of a stupid missed detail somewhere!
My old place is finishing up their migrations. They have to do STIG instead of CIS, and they are doing ASA to Palo, but it is all the same at the end of the day. If it wasn't for those details I would guess you worked there. They had a window to do a big cut over on Saturday after the 4th. It took them a little longer than expected, but it was successful. I think they only have two HA pairs left to migrate which will close out a 2 year plus migration. Then they get to move on to the switching refresh. Both data center and access are hitting at EOL near the same time so it will be a lot of work.
Are you planning to migrate to FTD at some point? We looked at it when it first came out as the obvious replacement for ASA and it was missing a lot of features, but I heard it is much more feature complete now.
-Otanx
Yes FTD coming down the PIPE