Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Firepower Threat Defense Virtual for the Microsoft Azure Cloud Getting Started Guide

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Firepower Threat Defense Virtual for the Microsoft Azure Cloud Getting Started Guide

Chapter Title

Getting Started with Firepower Threat Defense Virtual and Azure

Results

Updated:
April 26, 2022

Chapter: Getting Started with Firepower Threat Defense Virtual and Azure

Getting Started with Firepower Threat Defense Virtual and Azure

The Firepower Threat Defense Virtual (FTDv) brings Cisco's Next-Generation Firewall functionality to virtualized environments, enabling consistent security policies to follow workloads across your physical, virtual, and cloud environments, and between clouds.

This chapter describes how the FTDv functions in the Azure Marketplace, including feature support, system requirements, guidelines, and limitations. This chapter also describes your options for managing the FTDv.

It's important that you understand your management options before you begin your deployment. You can manage and monitor the FTDv using the Firepower Management Center or the Firepower Device Manager. Other management options may be available.

About FTDv and the Microsoft Azure Cloud

The Firepower Threat Defense Virtual is integrated into the Microsoft Azure marketplace and supports the following instance types:

  • Standard D3—4 vCPUs, 14 GB, 4vNICs

  • Standard D3_v2—4 vCPUs, 14 GB, 4vNICs

  • Standard D4_v2—8 vCPUs, 28 GB, 8vNICs (New in Version 6.5)

  • Standard D5_v2—16 vCPUs, 56 GB, 8vNICs (New in Version 6.5)

  • Standard_D8s_v3—8 vCPUs, 32 GB, 4vNICs (New in Version 7.1)

  • Standard_D16s_v3—16 vCPUs, 64 GB, 8vNICs (New in Version 7.1)

  • Standard_F8s_v2—8 vCPUs, 16 GB, 4vNICs (New in Version 7.1)

  • Standard_F16s_v2—16 vCPUs, 32 GB, 4vNICs (New in Version 7.1)

Prerequisites and Requirements for the FTDv and Azure

Prerequisites

Communication Paths

  • Management interface—Used to connect the FTDv to the Firepower Management Center.


    Note

    In 6.7 and later, you can optionally configure a data interface for FMC management instead of the Management interface. The Management interface is a pre-requisite for data interface management, so you still need to configure it in your initial setup. For more information about configuring a data interface for FMC access, see the configure network management-data-interface command in Cisco Firepower Threat Defense Command Reference.

  • Diagnostic interface—Used for diagnostics and reporting; cannot be used for through traffic.

  • Inside interface (required)—Used to connect the FTDv to inside hosts.

  • Outside interface (required)—Used to connect the FTDv to the public network.

Guidelines and Limitations for the FTDv and Azure

Supported Features

  • Routed firewall mode only

  • Azure Accelerated Networking (AN)

  • Management mode, one of two choices:

  • Public IP addressing—Assign public IP addresses to Management 0/0 and GigabitEthernet0/0.

    You can assign a public IP address to other interfaces as needed; see Public IP addresses for Azure's guidelines regarding public IPs, including how to create, change, or delete a public IP address.

  • Interfaces:

    • FTDv deploys with 4 vNICs by default.

    • With larger instance support you have the ability to deploy the FTDv with a maximum of 8 vNICs.

    • To add addition vNICs to you FTDv deployment, following the guidelines provided by Microsoft’s Add network interfaces to or remove network interfaces from virtual machines.

    • You configure your FTDv interfaces using your manager. See the configuration guide for your management platform, either FMC or FDM, for complete information about interface support and configuration.

Licensing

  • BYOL (Bring Your Own License) using a Cisco Smart License Account.

  • PAYG (Pay As You Go) licensing, a usage-based billing model that allows customer to run FTDv without having to purchase Cisco Smart Licensing. All licensed features (Malware/Threat/URL Filtering/VPN, etc.) are enabled for a registered PAYG FTDv device. Licensed features cannot be edited or modified from the FMC. (Version 6.5+)


    Note

    PAYG licensing is not supported on the FTDv devices deployed in the FDM mode.

See the "Licensing" chapter in the Firepower Management Center Administration Guide for guidelines when licensing your FTDv device.

Performance Tiers for FTDv Smart Licensing

The FTDv supports performance-tiered licensing that provides different throughput levels and VPN connection limits based on deployment requirements.

Table 1. FTDv Licensed Feature Limits Based on Entitlement

Performance Tier

Device Specifications (Core/RAM)

Rate Limit

RA VPN Session Limit

FTDv5, 100Mbps

4 core/8 GB

100Mbps

50

FTDv10, 1Gbps

4 core/8 GB

1Gbps

250

FTDv20, 3Gbps

4 core/8 GB

3Gbps

250

FTDv30, 5Gbps

8 core/16 GB

5Gbps

250

FTDv50, 10Gbps

12 core/24 GB

10Gbps

750

FTDv100, 16Gbps

16 core/34 GB

16Gbps

10,000

Performance Optimizations

To achieve the best performance out of the FTDv, you can make adjustments to the both the VM and the host. See Virtualization Tuning and Optimization on Azure for more information.

Receive Side Scaling—The FTDv supports Receive Side Scaling (RSS), which is a technology utilized by network adapters to distribute network receive traffic to multiple processor cores. Supported on Version 7.0 and later. See Multiple RX Queues for Receive Side Scaling (RSS) for more information.

Unsupported Features

  • Licensing:

    • PLR (Permanent License Reservation)

    • PAYG (Pay As You Go) (Versions 6.4 and earlier)

  • Networking (many of these limitations are Microsoft Azure restrictions):

    • Jumbo frames

    • IPv6

    • 802.1Q VLANs

    • Transparent Mode and other Layer 2 features; no broadcast, no multicast.

    • Proxy ARP for an IP address that the device does not own from an Azure perspective (impacts some NAT capabilities).

    • Promiscuous mode (no capture of subnet traffic).

    • Inline-set modes, passive mode.


      Note

      Azure policy prevents the FTDv from operating in transparent firewall or inline mode because it does not allow interfaces to operate in promiscuous mode.

    • ERSPAN (uses GRE, which is not forwarded in Azure).

  • Management:

    • Console access; management is performed over the network using the FMC (SSH is available for some setup and maintenance activities)

    • Azure portal “reset password” function

    • Console-based password recovery; because the user does not have real-time access to the console, password recovery is not possible. It is not possible to boot the password recovery image. The only recourse is to deploy a new FTDv VM.

  • High Availability (active/standby)

  • Clustering

  • VM import/export

  • FDM user interface (Versions 6.4 and earlier)

Azure DDoS Protection Feature

Azure DDoS Protection in Microsoft Azure is an additional feature implemented at the forefront of the FTDv. In a virtual network, when this feature is enabled it helps to defend applications against common network layer attacks depending on the packet per second of a network’s expected traffic. You can customize this feature based on the network traffic pattern.

For more information about the Azure DDoS Protection feature, see Azure DDoS Protection Standard overview.

How to Manage Your Firepower Threat Defense Virtual Device

You have two options to manage your Firepower Threat Defense Virtual device.

Firepower Management Center

If you are managing large numbers of devices, or if you want to use the more complex features and configurations that the FTD allows, use the FMC to configure your devices instead of the integrated FDM.


Important

You cannot use both the FDM and the FMC to manage the FTD device. Once the FDM integrated management is enabled, it won't be possible to use the FMC to manage the FTD device, unless you disable the local management and re-configure the management to use the FMC. On the other hand, when you register the FTD device to the FMC, the FDM onboard management service is disabled.


Caution

Currently, Cisco does not have an option to migrate your FDM configuration to the FMC and vice-versa. Take this into consideration when you choose what type of management you configure for the FTD device.

Firepower Device Manager

The FDM is an onboard integrated manager.

The FDM is a web-based configuration interface included on some of the FTD devices. The FDM lets you configure the basic features of the software that are most commonly used for small networks. It is especially designed for networks that include a single device or just a few, where you do not want to use a high-powered multiple-device manager to control a large network containing many of the FTD devices.


Note

See the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for list of the FTD devices that support the FDM.

Sample Network Topology for the FTDv on Azure

The following figure shows a typical topology for the FTDv in Routed Firewall Mode within Azure. The first defined interface is always the Management interface, and only the Management 0/0 and GigabitEthernet0/0 are assigned public IP addresses.

Resources Created During Deployment

When you deploy the Firepower Threat Defense Virtual in Azure the following resources are created:

  • The FTDv Machine (VM)

  • A Resource Group

    • The FTDv is always deployed into a new Resource Group. However, you can attach it to an existing Virtual Network in another Resource Group.

  • Four NICS named vm name -Nic0, vm name -Nic1, vm name -Nic2, vm name -Nic3

    These NICs map to the FTDv interfaces Management, Diagnostic 0/0, GigabitEthernet 0/0, and GigabitEthernet 0/1 respectively.

  • A security group named vm name -mgmt-SecurityGroup

    The security group will be attached to the VM’s Nic0, which maps to the FTDv management interface.

    The security group includes rules to allow SSH (TCP port 22) and the management traffic for the FMC interface (TCP port 8305). You can modify these values after deployment.

  • Public IP addresses (named according to the value you chose during deployment).

    You can assign a public IP address to any interface; see Public IP addresses for Azure's guidelines regarding public IPs, including how to create, change, or delete a public IP address..

  • A Virtual Network with four subnets will be created if you choose the New Network option.

  • A Routing Table for each subnet (updated if it already exists)

    The tables are named “subnet name ”-FTDv-RouteTable.

    Each routing table includes routes to the other three subnets with the FTDv IP address as the next hop. You may chose to add a default route if traffic needs to reach other subnets or the Internet.

  • A boot diagnostics file in the selected storage account

    The boot diagnostics file will be in Blobs (binary large objects).

  • Two files in the selected storage account under Blobs and container VHDs named vm name -disk.vhd and vm name -<uuid>.status

  • A Storage account (unless you chose an existing storage account)


    Note
    When you delete a VM, you must delete each of these resources individually, except for any resources you want to keep.

Accelerated Networking (AN)

Azure's Accelerated Networking (AN) feature enables single root I/O virtualization (SR-IOV) to a VM, which accelerates networking by allowing VM NICs to bypass the hypervisor and go directly to the PCIe card underneath. AN significantly enhances the throughput performance of the VM and also scales with additional cores (i.e. larger VMs).

AN is disabled by default. Azure supports enabling AN on pre-provisioned virtual machines. You simply have to stop VM in Azure and update the network card property to set the enableAcceleratedNetworking parameter to true. See the Microsoft documentation Enable accelerated networking on existing VMs. Then restart the VM.

Azure Routing

Routing in an Azure Virtual Network Subnet is determined by the Subnet's Effective Routing Table. The Effective Routing Table is a combination of built-in system routes and the routes in the User Defined Route (UDR) Table.


Note
You can view the Effective Routing Table under VM NIC properties.

You can view and edit the User Defined Routing table. When the system routes and the user defined routes are combined to form the Effective Routing Table, the most specific route wins and ties go to the User Defined Routing table. The System Routing Table includes a default route (0.0.0.0/0) pointing to Azure’s Virtual Network Internet Gateway. The System Routing Table also includes specific routes to the other defined subnets with the next-hop pointing to Azure’s Virtual Network infrastructure gateway.

To route traffic through the Azure Routing FTDv, routes must be added/updated in the User Defined Routing table associated with each data subnet. Traffic of interest should be routed by using the FTDv IP address on that subnet as the next-hop. Also, a default route for 0.0.0.0/0 can be added with a next hop of the FTDv IP if needed.

Because of the existing specific routes in the System Routing Table, you must add specific routes to the User Defined Routing table to point to the FTDv as the next-hop. Otherwise, a default route in the User Defined table would lose to the more specific route in the System Routing Table and traffic would bypass the FTDv.

Routing Configuration for VMs in the Virtual Network

Routing in the Azure Virtual Network depends on the Effective Routing Table and not the particular gateway settings on the clients. Clients running in a Virtual Network may be given routes by DHCP that are the .1 address on their respective subnets. This is a place holder and serves only to get the packet to the Virtual Network’s infrastructure virtual gateway. Once a packet leaves the VM it is routed according to the Effective Routing Table (as modified by the User Defined Table). The Effective Routing Table determines the next hop regardless of whether a client has a gateway configured as .1 or as the FTDv address.

Azure VM ARP tables will show the same MAC address (1234.5678.9abc) for all known hosts. This ensures that all packets leaving an Azure VM will reach the Azure gateway where the Effective Routing Table will be used to determine the path of the packet.

IP Addresses

The following information applies to IP addresses in Azure:

  • The first NIC on the FTDv (which maps to Management) is given a private IP address in the subnet to which it is attached.

    A public IP address may be associated with this private IP address and the Azure Internet gateway handles the NAT translations.

    You can associate a public IP address with a data interface (GigabitEthernet0/0, for example) after the FTDv has been deployed; see Public IP addresses for Azure's guidelines regarding public IPs, including how to create, change, or delete a public IP address.

  • Public IP addresses that are dynamic may change during an Azure stop/start cycle. However, they are persistent during Azure restart and during FTDv reload.

  • Public IP addresses that are static do not change until you change them in Azure.

  • FTDv interfaces may use DHCP to set their IP addresses. The Azure infrastructure ensures that the FTDv interfaces are assigned the IP addresses set in Azure.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco