Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Firepower Threat Defense Virtual for the Microsoft Azure Cloud Getting Started Guide

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Firepower Threat Defense Virtual for the Microsoft Azure Cloud Getting Started Guide

Chapter Title

Getting Started with Firepower Threat Defense Virtual and Azure

Results

Updated:
December 14, 2020

Chapter: Getting Started with Firepower Threat Defense Virtual and Azure

Getting Started with Firepower Threat Defense Virtual and Azure

The Cisco Firepower Threat Defense Virtual (FTDv) brings Cisco's Firepower Next-Generation Firewall functionality to virtualized environments, enabling consistent security policies to follow workloads across your physical, virtual, and cloud environments, and between clouds.

This chapter describes how the Firepower Threat Defense Virtual functions in the Azure Marketplace, including feature support, system requirements, guidelines, and limitations. This chapter also describes your options for managing the FTDv.

It's important that you understand your management options before you begin your deployment. You can manage and monitor the FTDv using the Firepower Management Center or the Firepower Device Manager. Other management options may be available.

About FTDv and the Microsoft Azure Cloud

The FTDv (Firepower Threat Defense Virtual) is integrated into the Microsoft Azure marketplace and supports the following instance types:

  • Standard D3—4 vCPUs, 14 GB, 4vNICs

  • Standard D3_v2—4 vCPUs, 14 GB, 4vNICs

  • Standard D4_v2—8 vCPUs, 28 GB, 8vNICs (New in Version 6.5)

  • Standard D5_v2—16 vCPUs, 56 GB, 8vNICs (New in Version 6.5)

Prerequisites and Requirements for the FTDv and Azure

Prerequisites

Communication Paths

  • Management interface—Used to connect the FTDv to the Firepower Management Center.


    Note

    In 6.7 and later, you can optionally configure a data interface for FMC management instead of the Management interface. The Management interface is a pre-requisite for data interface management, so you still need to configure it in your initial setup. For more information about configuring a data interface for FMC access, see the configure network management-data-interface command in the FTD command reference.

  • Diagnostic interface—Used for diagnostics and reporting; cannot be used for through traffic.

  • Inside interface (required)—Used to connect the Firepower Threat Defense Virtual to inside hosts.

  • Outside interface (required)—Used to connect the Firepower Threat Defense Virtual to the public network.

Guidelines and Limitations for the FTDv and Azure

Supported Features

  • Routed firewall mode only

  • Azure Accelerated Networking (AN)

  • Management mode, one of two choices:

  • Public IP addressing—Assign public IP addresses to Management 0/0 and GigabitEthernet0/0.

    You can assign a public IP address to other interfaces as needed; see Public IP addresses for Azure's guidelines regarding public IPs, including how to create, change, or delete a public IP address.

  • Interfaces:

    • FTDv deploys with 4 vNICs by default.

    • With larger instance support you have the ability to deploy the FTDv with a maximum of 8 vNICs.

    • To add addition vNICs to you FTDv deployment, following the guidelines provided by Microsoft’s Add network interfaces to or remove network interfaces from virtual machines.

    • You configure your FTDv interfaces using your manager. See the configuration guide for your management platform, either Firepower Management Center or Firepower Device Manager, for complete information about interface support and configuration.

  • Licensing:

    • BYOL (Bring Your Own License) using a Cisco Smart License Account.

    • PAYG (Pay As You Go) licensing, a usage-based billing model that allows customer to run FTDv without having to purchase Cisco Smart Licensing. All licensed features (Malware/Threat/URL Filtering/VPN, etc.) are enabled for a registered PAYG FTDv device. Licensed features cannot be edited or modified from the FMC. (Version 6.5+)


      Note

      PAYG licensing is not supported on FTDv devices deployed in FDM (Firepower Device Manager) mode.

Unsupported Features

  • Licensing:

    • PLR (Permanent License Reservation)

    • PAYG (Pay As You Go) (Versions 6.4 and earlier)

  • Networking (many of these limitations are Microsoft Azure restrictions):

    • Jumbo frames

    • IPv6

    • 802.1Q VLANs

    • Transparent Mode and other Layer 2 features; no broadcast, no multicast.

    • Proxy ARP for an IP address that the device does not own from an Azure perspective (impacts some NAT capabilities).

    • Promiscuous mode (no capture of subnet traffic).

    • Inline-set modes, passive mode.


      Note

      Azure policy prevents the FTDv from operating in transparent firewall or inline mode because it does not allow interfaces to operate in promiscuous mode.

    • ERSPAN (uses GRE, which is not forwarded in Azure).

  • Management:

    • Console access; management is performed over the network using Firepower Management Center (SSH is available for some setup and maintenance activities)

    • Azure portal “reset password” function

    • Console-based password recovery; because the user does not have real-time access to the console, password recovery is not possible. It is not possible to boot the password recovery image. The only recourse is to deploy a new Firepower Threat Defense Virtual VM.

  • High Availability (active/standby)

  • Clustering

  • VM import/export

  • FDM (Firepower Device Manager) user interface (Versions 6.4 and earlier)

How to Manage Your Firepower Device

You have two options to manage your Firepower Threat Defense device.

Firepower Device Manager

The Firepower Device Manager (FDM) onboard integrated manager.

FDM is a web-based configuration interface included on some Firepower Threat Defense devices. FDM lets you configure the basic features of the software that are most commonly used for small networks. It is especially designed for networks that include a single device or just a few, where you do not want to use a high-powered multiple-device manager to control a large network containing many Firepower Threat Defense devices.


Note

See the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for list of Firepower Threat Defense devices that support FDM.

Firepower Management Center

The Cisco Firepower Management Center (FMC).

If you are managing large numbers of devices, or if you want to use the more complex features and configurations that Firepower Threat Defense allows, use the FMC to configure your devices instead of the integrated FDM.


Important

You cannot use both the FDM and FMC to manage a Firepower device. Once the FDM integrated management is enabled, it won't be possible to use an FMC to manage the Firepower device, unless you disable the local management and re-configure the management to use an FMC. On the other hand, when you register the Firepower device to an FMC, the FDM onboard management service is disabled.


Caution

Right now Cisco does not have an option to migrate your FDM Firepower configuration to an FMC and vice-versa. Take this into consideration when you choose what type of management you configure for the Firepower device.

Sample Network Topology for the FTDv on Azure

The following figure shows a typical topology for the Firepower Threat Defense Virtual in Routed Firewall Mode within Azure. The first defined interface is always the Management interface, and only the Management 0/0 and GigabitEthernet0/0 are assigned public IP addresses.

Resources Created During Deployment

When you deploy the Firepower Threat Defense Virtual in Azure the following resources are created:

  • The Firepower Threat Defense Virtual Machine (VM)

  • A Resource Group

    • The Firepower Threat Defense Virtual is always deployed into a new Resource Group. However, you can attach it to an existing Virtual Network in another Resource Group.

  • Four NICS named vm name -Nic0, vm name -Nic1, vm name -Nic2, vm name -Nic3

    These NICs map to the Firepower Threat Defense Virtual interfaces Management, Diagnostic 0/0, GigabitEthernet 0/0, and GigabitEthernet 0/1 respectively.

  • A security group named vm name -mgmt-SecurityGroup

    The security group will be attached to the VM’s Nic0, which maps to the Firepower Threat Defense Virtual management interface.

    The security group includes rules to allow SSH (TCP port 22) and the management traffic for the Firepower Management Center interface (TCP port 8305). You can modify these values after deployment.

  • Public IP addresses (named according to the value you chose during deployment).

    You can assign a public IP address to any interface; see Public IP addresses for Azure's guidelines regarding public IPs, including how to create, change, or delete a public IP address..

  • A Virtual Network with four subnets will be created if you choose the New Network option.

  • A Routing Table for each subnet (updated if it already exists)

    The tables are named “subnet name ”-FTDv-RouteTable.

    Each routing table includes routes to the other three subnets with the Firepower Threat Defense Virtual IP address as the next hop. You may chose to add a default route if traffic needs to reach other subnets or the Internet.

  • A boot diagnostics file in the selected storage account

    The boot diagnostics file will be in Blobs (binary large objects).

  • Two files in the selected storage account under Blobs and container VHDs named vm name -disk.vhd and vm name -<uuid>.status

  • A Storage account (unless you chose an existing storage account)


    Note
    When you delete a VM, you must delete each of these resources individually, except for any resources you want to keep.

Accelerated Networking (AN)

Azure's Accelerated Networking (AN) feature enables single root I/O virtualization (SR-IOV) to a VM, which accelerates networking by allowing VM NICs to bypass the hypervisor and go directly to the PCIe card underneath. AN significantly enhances the throughput performance of the VM and also scales with additional cores (i.e. larger VMs).

AN is disabled by default. Azure supports enabling AN on pre-provisioned virtual machines. You simply have to stop VM in Azure and update the network card property to set the enableAcceleratedNetworking parameter to true. See the Microsoft documentation Enable accelerated networking on existing VMs. Then restart the VM.

Azure Routing

Routing in an Azure Virtual Network Subnet is determined by the Subnet's Effective Routing Table. The Effective Routing Table is a combination of built-in system routes and the routes in the User Defined Route (UDR) Table.


Note
You can view the Effective Routing Table under VM NIC properties.

You can view and edit the User Defined Routing table. When the system routes and the user defined routes are combined to form the Effective Routing Table, the most specific route wins and ties go to the User Defined Routing table. The System Routing Table includes a default route (0.0.0.0/0) pointing to Azure’s Virtual Network Internet Gateway. The System Routing Table also includes specific routes to the other defined subnets with the next-hop pointing to Azure’s Virtual Network infrastructure gateway.

To route traffic through the Firepower Threat Defense Virtual, routes must be added/updated in the User Defined Routing table associated with each data subnet. Traffic of interest should be routed by using the Firepower Threat Defense Virtual IP address on that subnet as the next-hop. Also, a default route for 0.0.0.0/0 can be added with a next hop of the Firepower Threat Defense Virtual IP if needed.

Because of the existing specific routes in the System Routing Table, you must add specific routes to the User Defined Routing table to point to the Firepower Threat Defense Virtual as the next-hop. Otherwise, a default route in the User Defined table would lose to the more specific route in the System Routing Table and traffic would bypass the Firepower Threat Defense Virtual.

Routing Configuration for VMs in the Virtual Network

Routing in the Azure Virtual Network depends on the Effective Routing Table and not the particular gateway settings on the clients. Clients running in a Virtual Network may be given routes by DHCP that are the .1 address on their respective subnets. This is a place holder and serves only to get the packet to the Virtual Network’s infrastructure virtual gateway. Once a packet leaves the VM it is routed according to the Effective Routing Table (as modified by the User Defined Table). The Effective Routing Table determines the next hop regardless of whether a client has a gateway configured as .1 or as the Firepower Threat Defense Virtual address.

Azure VM ARP tables will show the same MAC address (1234.5678.9abc) for all known hosts. This ensures that all packets leaving an Azure VM will reach the Azure gateway where the Effective Routing Table will be used to determine the path of the packet.

IP Addresses

The following information applies to IP addresses in Azure:

  • The first NIC on the Firepower Threat Defense Virtual (which maps to Management) is given a private IP address in the subnet to which it is attached.

    A public IP address may be associated with this private IP address and the Azure Internet gateway handles the NAT translations.

    You can associate a public IP address with a data interface (GigabitEthernet0/0, for example) after the Firepower Threat Defense Virtual has been deployed; see Public IP addresses for Azure's guidelines regarding public IPs, including how to create, change, or delete a public IP address.

  • Public IP addresses that are dynamic may change during an Azure stop/start cycle. However, they are persistent during Azure restart and during Firepower Threat Defense Virtual reload.

  • Public IP addresses that are static do not change until you change them in Azure.

  • Firepower Threat Defense Virtual interfaces may use DHCP to set their IP addresses. The Azure infrastructure ensures that the Firepower Threat Defense Virtual interfaces are assigned the IP addresses set in Azure.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us