Cisco Secure Firewall Management Center Virtual Getting Started Guide

Deploy the Firewall Management Center Virtual

Updated: February 5, 2026

On this page

Overview

Create VPC Networks
Create the Firewall Rules
Create the Firewall Management Center Virtual Instance on GCP

Overview

How to deploy the Firewall Management Center Virtual instance, including creating VPC networks, configuring firewall rules, and launching the virtual appliance on Google Cloud Platform.

The following procedures describe how to prepare your GCP environment and launch the Firewall Management Center Virtual instance.

Create VPC Networks

The Firewall Management Center Virtual deployment requires the Management VPC for the management Firewall Management Center Virtual. See Figure 1 on page 3 as a guide.

Procedure

	1.	In the GCP console, choose VPC networks, then click Create VPC Network.
	2.	In the Name field, enter a descriptive name for your VPC network.
	3.	From Subnet creation mode, click Custom.
	4.	In the Name field under New subnet, enter the desired name.
	5.	From the Region drop-down list, select the region appropriate for your deployment.
	6.	From the IP address range field, enter the first network's subnet in CIDR format, such as 10.10.0.0/24.
	7.	Accept the defaults for all other settings, then click Create.

Create the Firewall Rules

Each of the VPC networks requires firewall rules to allow SSH and traffic. Create the firewall rules for each VPC network.

Procedure

	1.	In the GCP console, choose Networking > VPC network > Firewall, then click Create Firewall Rule.
	2.	In the Name field, enter a descriptive name for your firewall rule, for example, vpc-asiasouth-mgmt-ssh.
	3.	From the Network drop-down list, select the name of the VPC network for which you are creating the firewall rule, for example, fmcv-south-mgmt.
	4.	From the Targets drop-down list, select the option applicable for your firewall rule, for example, All instances in the network.
	5.	In the Source IP ranges field, enter the source IP address ranges in CIDR format, for example, 0.0.0.0/0. Traffic is only allowed from sources within these IP address ranges.
	6.	Under Protocols and ports, select Specified protocols and ports.
	7.	Add your security rules: Add a rule to allow SSH (TCP/22). Add a rule to allow TCP port 443. You access the Firewall Management Center Virtual UI which requires port 443 to be opened for HTTPS connections.
	8.	Click Create.

Create the Firewall Management Center Virtual Instance on GCP

You can follow the steps below to deploy the Firewall Management Center Virtual instance from the GCP console.

Procedure

	1.	Log into to the GCP Console.
	2.	Click Navigation menu > Marketplace.
	3.	Search the Marketplace for “Firewall Management Center BYOL” and choose the offering.
	4.	Click Launch. Deployment name — Specify a unique name for the instance. Image version — Select the version from the drop-down list. Zone — Select the zone where you want to deploy the Firewall Management Center Virtual. Machine type — Choose the correct machine type based on the GCP Machine Type Support. SSH key (optional) — Paste the public key from the SSH key pair. The key pair consists of a public key that GCP stores and a private key file that the user stores. Together they allow you to connect to your instance securely. Be sure to save the key pair to a known location, as it will be required to connect to the instance. Choose whether to allow or Block project-wide SSH keys to access this instance. See the Google documentation Allowing or blocking project-wide public SSH keys from a Linux instance. Startup script — Provide the day0 configuration for the Firewall Management Center Virtual. The following example shows a sample day0 configuration you can copy and paste in the Startup script field: `{ "AdminPassword": "myPassword@123456", "Hostname": "cisco-fmcv" }` Tip To prevent execution errors, you should validate your day0 configuration using a JSON validator. Select the Boot disk type from the drop-down list. By default, the Standard Persistent Disk is selected. Cisco recommends that you use the default Boot disk type. The Boot disk size in GB default value is 250 GB. Cisco recommends that you keep the default boot disk size. It cannot be less than 250 GB. Click Add network interface to configure the Management interface. Note You cannot add interfaces to an instance after you create it. If you create the instance with an improper interface configuration, you must delete the instance and recreate it with the proper interface configuration. From the Network drop-down list, select a VPC network, for example, vpc-branch-mgmt. From the External IP drop-down list, select the appropriate option. For the management interface, select the External IP to Ephemeral. Click Done. Firewall— Apply the firewall rules. Check the Allow TCP port 22 traffic from the Internet (SSH access) check box to allow SSH. Check the Allow HTTPS traffic from the Internet (FMC GUI) check box to allow HTTPS connections. Check the Allow TCP port 8305 traffic from the Internet (SFTunnel comm.) check box to allow the Firewall Management Center Virtual and managed devices to communicate using a two-way, SSL-encrypted communication channel. Click More to expand the view and make sure that IP Forwarding is set to On.
	5.	Click Deploy. Note Startup time depends on a number of factors, including resource availability. It can take up to 35 minutes for the initialization to complete. Do not interrupt the initialization or you may have to delete the appliance and start over.

What to do next

View the instance details from the VM instance page of the GCP console. You’ll find the internal IP address, external IP address, and controls to stop and start the instance. You need to stop the instance if you need to edit it.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.