Cisco Secure Firewall Management Center Virtual Getting Started Guide

PDF

Guidelines and Limitations

Updated: February 5, 2026

Want to summarize with AI?

Log in

Overview

Consider these deployment guidelines and VMware-specific limitations for Management Center Virtual. Learn how to configure OVF template settings, time synchronization, and high availability to ensure proper operation in your VMware environment.

OVF File Guidelines

Virtual appliances use Open Virtual Format (OVF) packaging. You deploy a virtual appliance with a virtual infrastructure (VI) or ESXi OVF template. The selection of the OVF file is based on the deployment target:

  • For deployment on vCenter ––Cisco_Secure_FW_Mgmt_Center_Virtual_VMware-VI-X.X.X-xxx.ovf

  • For deployment on ESXi(no vCenter)—Cisco_Secure_FW_Mgmt_Center_Virtual_VMware-ESXi-X.X.X-xxx.ovf

where X.X.X-xxx is the version and build number of the System software you want to deploy. See

  • If you deploy with a VI OVF template, the installation process allows you to perform the entire initial setup for the Firewall Management Center Virtual appliance. You can specify:

    • A new password for the admin account.

    • Network settings that allow the appliance to communicate on your management network.

      Note

      You must manage this virtual appliance using VMware vCenter.

  • If you deploy using an ESXi OVF template, you must configure System-required settings after installation. You can manage this virtual appliance using VMware vCenter or use it as a standalone appliance .

When you deploy an OVF template you provide the following information:

Table 1. VMware OFV Template Settings

Setting

ESXi or VI

Action

Import/Deploy OVF Template

Both

Browse to the OVF templates you downloaded from Cisco.com.

OVF Template Details

Both

Confirm the appliance you are installing (Firewall Management Center Virtual) and the deployment option (VI or ESXi).

Accept EULA

VI only

Agree to accept the terms of the licenses included in the OVF template.

Name and Location

Both

Enter a unique, meaningful name for your virtual appliance and select the inventory location for your appliance.

Host / Cluster

Both

Select the host or cluster where you want to deploy the virtual appliance.

Resource Pool

Both

Manage your computing resources within a host or cluster by setting them up in a meaningful hierarchy. Virtual machines and child resource pools share the resources of the parent resource pool.

Storage

Both

Select a datastore to store all files associated with the virtual machine.

Disk Format

Both

Select the format to store the virtual disks: thick provision lazy zeroed or thick provision eager zeroed.

Note

We recommend using the thick provisioned disk format to ensure optimal performance.

Network Mapping

Both

Select the management interface for the virtual appliance.

Properties

VI only

Customize the Virtual Machine initial configuration setup.

Time and Time Synchronization

Use a Network Time Protocol (NTP) server to synchronize system time on the Firewall Management Center Virtual and managed devices. You typically specify NTP servers during the Firewall Management Center Virtual initial configuration; see Firewall Management Center Virtual Initial Setup for the information about the default NTP servers.

Synchronizing the system time on your Firewall Management Center Virtual and its managed devices is essential to successful operation of your System. You can take additional steps to ensure time synchronization when you configure NTP on the VMware ESXi server to match the NTP settings of the Firewall Management Center Virtual.

You can use the vSphere Client to configure NTP on ESXi hosts. Consult VMware documentation for specific instructions. Additionaly, the VMware KB 2012069 describes how to configuring NTP on ESX/ESXi hosts using the vSphere Client.

vMotion Support

We recommend that you only use shared storage if you plan to use vMotion. During deployment, if you have a host cluster you can either provision storage locally (on a specific host) or on a shared host. However, if you try to vMotion the Firewall Management Center Virtual to another host, using local storage will produce an error.

Snapshots Support

A VMware snapshot is a copy of the virtual machine's disk file (VMDK) at a given point in time. Snapshots provide a change log for the virtual disk and can be used to restore a VM to a particular point in time when a failure or system error occurs. Snapshots alone do not provide backup, and should not be used as backup.

If you need configuration backups, use the backup and restore feature of the Firewall Management Center (System > Tools > Backup/Restore).

The VMware snapshots functionality on ESXi can exhaust VM storage capacity and impact the performance of the FMC virtual appliance. See the following VMware Knowledge Base articles:

  • Best practices for using snapshots in the vSphere environment (VMware KB 1025279).

  • Understanding VM snapshots in ESXi (VMware KB 1015180).

High Availability (HA) Support

You can establish high availability (HA) between two Firewall Management Center Virtual appliances on VMware ESXi.

  • The two Firewall Management Center Virtual virtual appliances in a high availability configuration must be the same model.

  • To establish the Firewall Management Center Virtual HA, Firewall Management Center Virtual requires an extra Firewall Management Center Virtual license entitlement for each Secure Firewall Threat Defense (formerly Firepower Threat Defense) device that it manages in the HA configuration. However, the required Firewall Threat Defense feature license entitlement for each Firewall Threat Defense device has no change regardless of the Firewall Management Center Virtual HA configuration. See License Requirements for Threat Defense Devices in a High Availability Pair in the Cisco Secure Firewall Management Center Device Configuration Guide for guidelines about licensing.

  • If you break the Firewall Management Center Virtual HA pair, the extra Firewall Management Center Virtual license entitlement is released, and you need only one entitlement for each Firewall Threat Defense device.

See Establishing Management Center High Availability in the Cisco Secure Firewall Management Center Administration Guide for guidelines about high availability.

INIT Respawning Error Messages Symptom

You may see the following error message on the Firewall Management Center Virtual console running on ESXi 6 and ESXi 6.5: 

"INIT: Id "fmcv" respawning too fast: disabled for 5 minutes"

Workaround—Edit the virtual machine settings in vSphere to add a serial port while the device is powered off.

  1. Right-click the virtual machine and select Edit Settings.

  2. On the Virtual Hardware tab, select Serial port from the New device drop-down menu, and click Add.

    The serial port appears at the bottom of the virtual device list.

  3. On the Virtual Hardware tab, expand Serial port, and select connection type Use physical serial port.

  4. Uncheck the Connect at power on checkbox.

    Click OK to save settings.

Limitations

The following limitations exist when deploying for VMware:

  • Firewall Management Center Virtual appliances do not have serial numbers. The System > Configuration page will show either None or Not Specified depending on the virtual platform.

  • Cloning a virtual machine is not supported.

  • Restoring a virtual machine with snapshot is not supported.

  • VMware Workstation, Player, Server, and Fusion do not recognize OVF packaging and are not supported.

Configure VMXNET3 Interfaces

  • From the 6.4 release, if you are using e1000 interfaces, we strongly recommend you switch to VMXNET3 interfaces. The VMXNET3 device drivers and network processing are integrated with the ESXi hypervisor, so they use fewer resources and offer better network performance.

  • On 7.4 and earlier releases, FMCv300 supports e1000 interfaces only.

    From the 7.6 release, the FMCv300 supports both e1000 and VMXNET3 interfaces. By default, the management center virtual on VMware defaults to e1000 interfaces when you deploy the VM. We strongly recommend you switch to VMXNET3 interfaces.

  • From the 10.0.0 release, the threat defense virtual and the management center virtual on VMware default to VMXNET3 interfaces when you deploy the VM.

To change e1000 interfaces to vmxnet3, you must delete ALL interfaces and reinstall them with the vmxnet3 driver.

Although you can mix interfaces in your deployment (such as, e1000 interfaces on the Firewall Management Center and vmxnet3 interfaces on its managed virtual device), you cannot mix interfaces on the same virtual appliance. All sensing and management interfaces on the virtual appliance must be of the same type.

Procedure

1.

Power off the Firewall Threat Defense Virtual or the Firewall Management Center Virtual Machine.

To change the interfaces, you must power down the appliance.
2.

Right-click the Firewall Threat Defense Virtual or the Firewall Management Center Virtual Machine in the inventory and select Edit Settings.

3.

Select the applicable network adapters and then select Remove.

4.

Click Add to open the Add Hardware Wizard.

5.

Select Ethernet adapter and click Next.

6.

Select the vmxnet3 adapter and then choose network label.
7.

Repeat for all interfaces on the Firewall Threat Defense Virtual.

What to do next

  • Power on the Firewall Threat Defense Virtual or the Firewall Management Center Virtual from the VMware console.