Deploy the Firewall Management Center Virtual on Azure
Overview
Prerequisites
Guidelines and Limitations
Resources Created During Deployment
Deploy the Firewall Management Center Virtual
- Deploy from Azure Marketplace Using the Solution Template
- Deploy from Azure Using a VHD and Resource Template
Deploy the Azure Marketplace offers in the restricted Azure Private Marketplace environment
Deploy the IPv6 Supported Secure Firewall Management Center Virtual on Azure
About IPv6 Supported Deployment on Azure
Deploy from Azure Using Custom IPv6 Template with Marketplace Image Reference
Deploy from Azure Using a VHD and Custom IPv6 Template
Deploy the Azure Marketplace offers in the restricted Azure Private Marketplace environment
Verify the Firewall Management Center Virtual Deployment
Monitoring and Troubleshooting
Feature History

Deploy the Firewall Management Center Virtual on Azure

You can deploy the Firewall Management Center Virtual as a virtual machine on the Microsoft Azure public cloud.

Important

The Firewall Management Center Virtual is supported on Microsoft Azure starting with Cisco software version 6.4 and later.

Overview

You deploy the Firewall Management Center Virtual in Microsoft Azure using a solution template available in the Azure Marketplace. When you deploy the Firewall Management Center Virtual using the Azure portal you can use an existing empty resource group and storage account (or create them new). The solution template walks you through a set of configuration parameters that provide the initial setup of your Firewall Management Center Virtual, allowing you to login to the Firewall Management Center Virtual web interface after first boot.

Firewall Management Center Virtual Requires 28 GB RAM for Upgrade (6.6.0+)

The Firewall Management Center Virtual platform has introduced a new memory check during upgrade. The Firewall Management Center Virtual upgrades to Version 6.6.0+ will fail if you allocate less than 28 GB RAM to the virtual appliance.

Important

As of the Version 6.6.0 release, lower-memory VM sizes for cloud-based Firewall Management Center Virtual deployments (AWS, Azure) are fully deprecated. You cannot create new Firewall Management Center Virtual instances using them, even for earlier versions. You can continue running existing VM sizes. See Table 1.

As a result of this memory check, we will not be able to support lower memory VM sizes on supported platforms.

The Firewall Management Center Virtual on Azure must be deployed in a virtual network (VNet) using the Resource Manager deployment mode. You can deploy the Firewall Management Center Virtual in the standard Azure public cloud environment. The Firewall Management Center Virtual in the Azure Marketplace supports the Bring Your Own License (BYOL) model.

The following table summarizes the Azure VM sizes that the Firewall Management Center Virtual supports; those that Versions 6.5.x and earlier support, and those that Version 6.6.0+ support.

Table 1. Azure Supported VM Sizes for the Firewall Management Center Virtual
Platform	Version 6.6.0+	Version 6.5.x and earlier*
Firewall Management Center Virtual	Standard_D4_v2: 8 vCPUs, 28 GB	Standard_D3_v2: 4 vCPUs, 14 GB
	—	Standard_D4_v2: 8 vCPUs, 28 GB
	*Note that the Firewall Management Center Virtual will no longer support the Standard_D3_v2 VM size after Version 6.6.0 is released. Beginning with Version 6.6.0, you must deploy the Firewall Management Center Virtual (any version) using a VM size with at least 28 GB RAM. See Resizing VM.

Deprecated VM Sizes

You can continue running your current Version 6.5.x and earlier the Firewall Management Center Virtual deployments using Standard_D3_v2, but you will not be able to launch new Firewall Management Center Virtual deployments (any version) using this VM size.

Resizing VM

Because the upgrade path from any earlier version of Firewall Management Center Virtual (6.2.x, 6.3.x, 6.4.x, and 6.5.x) to Version 6.6.0 includes the 28 GB RAM memory check, if you are using the Standard_D3_v2, you need to resize your VM to Standard_D4_v2 (see Table 1).

You can use the Azure portal or PowerShell to resize your VM. If the virtual machine is currently running, changing its size will cause it to be restarted. Stopping the virtual machine may reveal additional sizes.

For instructions on how to resize your VM, see the Azure documentation “Resize a Windows VM” (https://docs.microsoft.com/en-us/azure/virtual-machines/windows/resize-vm).

Prerequisites

Support for the Firewall Management Center Virtual on Microsoft Azure is new with the release of version 6.4.0. For the Firewall Management Center Virtual and System compatibility, see Cisco Secure Firewall Threat Defense Compatibility Guide.

Verify the following before you deploy the Firewall Management Center Virtual in Azure:

Create an account on Azure.com.

After you create an account on Microsoft Azure, you can log in, search the marketplace for Firewall Management Center Virtual, and choose the “Firewall Management Center BYOL” offering.
A Cisco Smart Account. You can create one at Cisco Software Central (https://software.cisco.com/).

Guidelines and Limitations

Supported Features

Supported Azure VM sizes:
- Standard_D3_v2—4 vCPUs, 14GB memory, 250GB disk size
- Standard_D4_v2—8 vCPUs, 28GB memory, 400GB disk size

Licensing

The Firewall Management Center Virtual in the Azure public marketplace supports the Bring Your Own License (BYOL) model. For the Firewall Management Center Virtual, this is a platform license rather than a feature license. The version of virtual license you purchase determines the number of devices you can manage via the Firewall Management Center Virtual. For example, you can purchase licenses that enable you to manage two devices, 10 devices, or 25 devices.

Licensing modes:
- Smart License only

For licensing details, see Licensing the System in the Secure Firewall Management Center Configuration Guide for more information about how to manage licenses; see Cisco Secure Firewall Management Center Feature Licenses for an overview of feature licenses for the System, including helpful links.

System Shut Down and Restart

Do not use the Restart and Stop controls on the Azure Virtual machine overview page to power on the Firewall Management Center Virtual VM. These are not graceful shutdown mechanisms and can lead to database corruption.

Use the System > Configuration options available from the Firewall Management Center Virtual's Web interface to shut down or restart the virtual appliance.

Use the shutdown and restart commands from the Firewall Management Center Virtual's command line interface to shut down or restart the appliance.

Unsupported Features

Licensing modes:
- Pay As You Go (PAYG) licensing.
- Permanent License Reservation (PLR).
Management
- Azure portal “reset password” function.
- Console-based password recovery; because the user does not have real-time access to the console, password recovery is not possible. It is not possible to boot the password recovery image. The only recourse is to deploy a new Firewall Management Center Virtual VM.
VM import/export
HA is not supported on Secure Firewall version 7.4.1 and earlier versions.
Gen 2 VM generation on Azure
Re-sizing the VM after deployment
Migration or update of the Azure Storage SKU for the OS Disk of the VM from premium to standard SKU and vice versa

Resources Created During Deployment

When you deploy the Firewall Management Center Virtual in Azure the following resources are created:

The Firewall Management Center Virtual Machine with a single interface (requires a new or an existing virtual network with 1 subnet).
A Resource Group.

The Firewall Management Center Virtual is always deployed into a new Resource Group. However, you can attach it to an existing Virtual Network in another Resource Group.
A security group named vm name-mgmt-SecurityGroup.

The security group will be attached to the VM’s Nic0.

The security group includes rules to allow SSH (TCP port 22) and the management traffic for the Firewall Management Center interface (TCP port 8305). You can modify these values after deployment.

A Public IP Address (named according to the value you chose during deployment).

The public IP address is associated with VM Nic0, which maps to Management.

Note

You can create a new public IP or choose an existing one. You can also choose NONE. Without a public IP address, any communication to the Firewall Management Center Virtual must originate within the Azure virtual network

A Routing Table for the subnet (updated if it already exists).
A boot diagnostics file in the selected storage account.

The boot diagnostics file will be in Blobs (binary large objects).
Two files in the selected storage account under Blobs and container VHDs named VM name-disk.vhd and VM name-<uuid>.status.

A Storage account (unless you chose an existing storage account).

Important

When you delete a VM, you must delete each of these resources individually, except for any resources you want to keep.

Deploy the Firewall Management Center Virtual

You can deploy the Firewall Management Center Virtual in Azure using templates. Cisco provides two kinds of templates:

Solution Template in the Azure Marketplace—Use the solution template available in the Azure Marketplace to deploy the Firewall Management Center Virtual using the Azure portal. You can use an existing resource group and storage account (or create them new) to deploy the virtual appliance. To use the solution template, see Deploy from Azure Marketplace Using the Solution Template.
ARM Templates in the GitHub Repository—In addition to the Marketplace-based deployment, Cisco provides Azure Resource Manager (ARM) templates in the GitHub Repository to simplify the process of deploying the Firewall Management Center Virtual on Azure. Using a Managed Image and two JSON files (a Template file and a Parameter file), you can deploy and provision all the resources for the Firewall Management Center Virtual in a single, coordinated operation.

Note

While searching for Cisco offers in Marketplace, you may find two different offers with similar names, but different offer types, Application Offer and Virtual Machine Offer.

For marketplace deployments, use ONLY the Application Offers.

Virtual Machine offer (may be visible) with VMSR (Virtual Machine Software Reservations) plan in marketplace. These are specific Multiparty Private Offer plans specifically for channel/resale and should be ignored for regular deployments.

Application Offers available in Marketplace:

Deploy from Azure Marketplace Using the Solution Template

Deploy the Firewall Management Center Virtual from the Azure portal using the solution template available in the Azure Marketplace. The following procedure is a top-level list of steps to set up the Firewall Management Center Virtual in the Microsoft Azure environment. For detailed steps for Azure setup, see Getting Started with Azure.

When you deploy the Firewall Management Center Virtual in Azure it automatically generates various configurations, such as resources, public IP addresses, and route tables. You can further manage these configurations after deployment. For example, you may want to change the Idle Timeout value from the default, which is a low timeout.

Procedure

Step 1

The Azure portal shows virtual elements associated with the current account and subscription regardless of data center location.

Step 2

Click Create a Resource.

Step 3

Search the Marketplace for “Firewall Management Center ”, choose the offering, and click Create.

Step 4

Configure the settings under Basics:

Enter a name for the virtual machine in the FMC VM name in Azure field. This name should be unique within your Azure subscription.

Attention

Make sure you do not use an existing name or the deployment will fail.

(Optional) Choose the FMC Software Version from the dropdown list.

This should default to the latest available version.

Enter a username for the Azure account administrator in the Username for primary account field.

The name “admin” is reserved in Azure and cannot be used.

Attention

The username entered here is for the Azure account, not for the Firewall Management Center Virtual administrator access. Do not use this username to log in to the Firewall Management Center Virtual.

Choose an authentication type, either Password or SSH public key.

If you choose Password, enter a password and confirm. The password must be between 12 and 72 characters, and must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character that is not ‘\’ or ‘-’.

If you choose SSH public key, specify the RSA public key of the remote peer.
Enter an FMC Hostname for the Firewall Management Center Virtual.
Enter an Admin Password.

This is the password you'll use when you log in to the Firewall Management Center Virtual's Web interface as the administrator to configure the Firewall Management Center Virtual.
Choose your Subscription type.

Normally there is only one option listed.
Create a new Resource group.

The Firewall Management Center Virtual should be deployed into a new Resource Group. The option to deploy into an existing Resource Group only works if that existing Resource Group is empty.

However, you can attach the Firewall Management Center Virtual to an existing Virtual Network in another Resource Group when configuring the network options in later steps.
Select your geographical Location.

You should use the same location for all resources used in this deployment. The Firewall Management Center Virtual, the network, storage accounts, etc. should all use the same location.
Click OK.

Step 5

Next, complete the initial configuration under Cisco FMCv Settings:

Confirm the selected Virtual machine size, or click the Change size link to view the VM size options. Click Select to confirm..

Only the supported virtual machine sizes are shown.
Configure a Storage account. You can use an existing storage account or create a new one.
- Enter a Name for the storage account, then click OK. The storage account name can only contain lowercase letters and numbers. It cannot contain special characters.
- As of this release the Firewall Management Center Virtual only supports general purpose, standard performance storage.

Configure a Public IP address. You can use an existing IP or create a new one.

Click Create new to create a new public IP address. Enter a label for the IP address in the Name field, select Standard for the SKU option, then click OK.

Note

Azure creates a dynamic public IP address, regardless of the dynamic/static choice made in this step. The public IP may change when the VM is stopped and restarted. If you prefer a fixed IP address, you can edit the public-ip and change it from a dynamic to a static address after the deployment has completed.

You can choose NONE if you don't want to assign a public IP address to the Firewall Management Center Virtual. Without a public IP address, any communication to the Firewall Management Center Virtual must originate within the Azure virtual network.

Add a DNS label that matches the label of the public IP.

The fully qualified domain name will be your DNS label plus the Azure URL: <dnslabel>.<location>.cloudapp.azure.com
Choose an existing Virtual network or create a new one, the click OK.
Configure the management subnet for the Firewall Management Center Virtual.

Define a Management subnet name and review the Management subnet prefix. The recommended subnet name is “management”.

Provide Public inbound ports (mgmt.interface) input to indicate whether any ports are to be opened for public or not. By default, None is selected.

Click None to create and attach a network security group with Azure's default security rule to the management interface. Selecting this option allows traffic from sources in the same virtual network and from the Azure load balancer.
Click Allow selected ports to view and choose the inbound ports to be opened for acess by the internet. Choose any of the following ports from the Select Inbound Ports drop-down list. By default, HTTPS is selected.
- SSH (22)
- SFTunnel (8305)
- HTTPs (443)

Note

The Public IP is not considered for the values of Allow selected ports or Public inbound ports.

Click OK.

Step 6

View the configuration summary, and then click OK.

Step 7

View the terms of use and then click Create.

Step 8

Select Notifications (bell icon) at the top of the portal to view the status of the deployment.

From here, you can click on the deployment to see further details or go to the resource group once the deployment is successful. The total time until the Firewall Management Center Virtual is usable is approximately 30 minutes. Deployment times vary in Azure. Wait until Azure reports that the Firewall Management Center Virtual VM is running.

Step 9

(Optional) Azure provides a number of tools to help you monitor the state of your VM, including Boot diagnostics and Serial console. These tools allow you to see the state of your virtual machine as it boots up.

On the left menu, select Virtual machines.
Select your Firewall Management Center Virtual VM in the list. The overview page for the VM will open.
Scroll down to the Support + troubleshooting section and select Boot diagnostics or Serial console. A new pane with either the boot diagnostic Screenshot and Serial log or the text-based Serial console opens and starts the connection.

The readiness of the Firewall Management Center Virtual's Web interface is confirmed if you see the login prompt on either boot diagnostics or serial console.
Example:
```
Cisco Secure Firewall Management Center for Azure v7.6.0 (build 44)
FMCv76East login: 
```

What to do next

Verify that your Firewall Management Center Virtual deployment was successful. The Azure Dashboard lists the new Firewall Management Center Virtual VM under Resource Groups, along with all of the related resources (storage, network, route table, etc.).

Deploy from Azure Using a VHD and Resource Template

You can create your own custom Firewall Management Center Virtual images using a compressed VHD image available from Cisco. To deploy using a VHD image, you must upload the VHD image to your Azure storage account. Then, you can create a managed image using the uploaded disk image and an Azure Resource Manager template. Azure templates are JSON files that contain resource descriptions and parameter definitions.

Before you begin

You need the JSON template and corresponding JSON parameter file for your Firewall Management Center Virtual template deployment. You can download these files from the GitHub repository.
This procedure requires an existing Linux VM in Azure. We recommend that you use a temporary Linux VM (such as Ubuntu 16.04) to upload the compressed VHD image to Azure. This image will require about 50GB of storage when unzipped. Also, your upload time to Azure storage is faster from a Linux VM in Azure.

If you need to create a VM, use one of the following methods:
- Create a Linux virtual machine with the Azure CLI
- Create a Linux virtual machine with the Azure portal
In your Azure subscription, you should have a storage account available in the location in which you want to deploy the Firewall Management Center Virtual.

Procedure

Step 1

Download the Firewall Management Center Virtual compressed VHD image from the Cisco Download Software page:

Navigate to Products > Security > Firewalls > Firewall Management > Secure Firewall Management Center Virtual.
Click Firepower Management Center Software.

Follow the instructions for downloading the image.

For example, Cisco_Secure_FW_Mgmt_Center_Virtual_Azure-7.3.0-69.vhd.bz2

Step 2

Copy the compressed VHD image to your Linux VM in Azure.

There are many options that you can use to move files up to Azure and down from Azure. This example shows SCP or secure copy:

# scp /username@remotehost.com/dir/Cisco_Secure_FW_Mgmt_Center_Virtual_Azure-7.3.0-69.vhd.bz2 <linux-ip>

Step 3

Step 4

Unzip the Firewall Management Center Virtual VHD image.

There are many options that you can use to unzip or decompress files. This example shows the Bzip2 utility, but there are also Windows-based utilities that would work.

# bunzip2 Cisco_Secure_FW_Mgmt_Center_Virtual_Azure-7.3.0-69.vhd.bz2

Step 5

Upload the VHD to a container in your Azure storage account. You can use an existing storage account or create a new one. The storage account name can only contain lowercase letters and numbers.

There are many options that you can use to upload a VHD to your storage account, including AzCopy, Azure Storage Copy Blob API, Azure Storage Explorer, Azure CLI, or the Azure Portal. We do not recommend using the Azure Portal for a file as large as the Firewall Management Center Virtual VHD.

The following example shows the syntax using Azure CLI:

azure storage blob upload \
       --file <unzipped vhd> \
       --account-name <azure storage account> \
       --account-key yX7txxxxxxxx1dnQ== \
       --container <container> \
       --blob <desired vhd name in azure> \
       --blobtype page

Step 6

Create a Managed Image from the VHD:

In the Azure Portal, select Images.
Click Add to create a new image.

Provide the following information:

Subscription—Choose a subscription from the drop-down list.
Resource group—Choose an existing resource group or create a new one.
Name—Enter a user-defined name for the managed image.
Region—Choose the region in which the VM Is deployed.
OS type—Choose Linux as the OS type.

VM generation—Choose Gen 1.

Note

Gen 2 is not supported.

Storage blob—Browse to the storage account to select the uploaded VHD.
Account type—As per your requirement, choose Standard HDD, Standard SSD, or Premium SSD, from the drop-down list.

When you select the VM size planned for deployment of this image, ensure that the VM size supports the selected account type.
Host caching—Choose Read/write from the drop-down list.
Data disks—Leave at default; don't add a data disk.

Click Create.

Wait for the Successfully created image message under the Notifications tab.

Note

Once the Managed Image has been created, the uploaded VHD and upload Storage Account can be removed.

Step 7

Acquire the Resource ID of the newly created Managed Image.

Internally, Azure associates every resource with a Resource ID. You’ll need the Resource ID when you deploy new Firewall Management Center Virtual instances from this managed image.

In the Azure Portal, select Images.
Select the managed image created in the previous step.
Click Overview to view the image properties.
Copy the Resource ID to the clipboard.

The Resource ID takes the form of:

/subscriptions/<subscription-id>/resourceGroups/<resourceGroup>/providers/Microsoft.Compute/<container>/ <vhdname>

Step 8

Build a Firewall Management Center Virtual instances using the managed image and a resource template:

Select New, and search for Template Deployment until you can select it from the options.
Select Create.
Select Build your own template in the editor.

You have a blank template that is available for customizing. See GitHub for the template files.
Paste your customized JSON template code into the window, and then click Save.
Choose a Subscription from the drop-down list.
Choose an existing Resource group or create a new one.
Choose a Location from the drop-down list.
Paste the Managed Image Resource ID from the previous step into the Vm Managed Image Id field.

Step 9

Click Edit parameters at the top of the Custom deployment page. You have a parameters template that is available for customizing.

Click Load file and browse to the customized Firewall Management Center Virtual parameter file. See GitHub for the template parameters.
Paste your customized JSON parameters code into the window, and then click Save.

Step 10

Review the Custom deployment details. Make sure that the information in Basics and Settings matches your expected deployment configuration, including the Resource ID.

Step 11

Review the Terms and Conditions, and check the I agree to the terms and conditions stated above check box.

Step 12

Click Purchase to deploy a Firewall Management Center Virtual instance using the managed image and a custom template.

If there are no conflicts in your template and parameter files, you should have a successful deployment.

The Managed Image is available for multiple deployments within the same subscription and region.

What to do next

Update the Firewall Management Center Virtual’s IP configuration in Azure.

Deploy the Azure Marketplace offers in the restricted Azure Private Marketplace environment

This applies only for the Azure Private Marketplace users. If you are using Azure Private Marketplace, then ensure that both Application Offers and required Virtual Machine Offers (hidden) are enabled for the user in respective private marketplace.

Virtual Machine Offers and Plans (hidden):

Publisher ID: cisco
Cisco Secure Firewall Management Center Virtual VM Offers (used for both the Cisco Secure Firewall Management Center Virtual Application offers)
- Offer ID: cisco-fmcv
- BYOL Plan ID: fmcv-azure-byol
Cisco Firepower Management Center 300 Virtual
- Offer ID: cisco-fmcv300
- BYOL Plan ID: fmcv300-azure-byol

When user deploys the visible application offer from Marketplace, corresponding image from the VM offer plan is referenced and deployed.

Therefore, for the deployment to work, both Application and VM offers needs to be enabled/available on the Private Marketplace for the Azure tenant/subscription.

Refer the Azure documentation for enabling these application and VM offers in private marketplaces.

Application offers are easily enabled via Azure UI as they are visible in the marketplace.

In order to enable hidden virtual machine offers in private marketplace, you might have to rely on CLI commands (at the time of this doc creation only CLI way is possible).

Sample command:

Cisco Secure Firewall Management Center Virtual BYOL plan can be enabled using similar sample command given below:

$Params = @{
  privateStoreId = ‘<private-store-id>’
  offerId = ‘<publisher-id>.<vm-offer-id>’
  SpecificPlanIdsLimitation =@(‘<plan-id-under-vm-offer>’)
}
Set-AzMarketplacePrivateStoreOffer @Params

$Params = @{
  privateStoreId = ‘<private-store-id>’
  offerId = ‘cisco.cisco-fmcv’
  SpecificPlanIdsLimitation =@(‘fmcv-azure-byol’)
}
Set-AzMarketplacePrivateStoreOffer @Params

Note

The sample command is only for reference, check Azure documentation for more details.

Reference Error message

{
  "code": "MarketplacePurchaseEligibilityFailed",
  "details": [
    {
      "code": "BadRequest",
      "message": "Offer with PublisherId: 'cisco', OfferId: 'cisco-XXXX' cannot be purchased due to validation errors. For more information see details. 
Correlation Id: 'XXXXX` 
This plan is not available for purchase because it needs to be added to your tenant's Private Marketplace. Contact your admin to request adding the plan. 
Link to plan: <URL>. 
Plan: '<PLAN NAME>'(planId=<VM-OFFER-PLAN-ID>), 
Offer: <OFFER_NAME>, Publisher: 'Cisco Systems, Inc.'(publisherId='cisco').
…
…
    }
  ],
  "message": "Marketplace purchase eligibilty check returned errors. See inner errors for details. "
}

User may run into the above error while deploying the Marketplace offer. To resolve this, both Application and VM offers need to be enabled/available on the Azure tenant/subscription.

Deploy the IPv6 Supported Secure Firewall Management Center Virtual on Azure

This chapter explains how to deploy the IPv6 Supported Firewall Management Center Virtual from the Azure portal.

About IPv6 Supported Deployment on Azure

Firewall Management Center Virtual offerings support both IPV4 and IPv6 from 7.3 and later. In Azure, you can deploy Firewall Management Center Virtual directly from the Marketplace offering, which creates or uses a virtual network, but currently, a limitation in Azure restricts the Marketplace application offer to use or create only IPv4-based VNet/subnets. Although, you can manually configure the IPv6 addresses to the existing VNet, a new Firewall Management Center Virtual instance cannot be added to the VNet configured with the IPv6 subnets. Azure imposes certain restrictions to deploy any third-party resources using an alternative approach other than deploying resources through Marketplace.

Cisco is currently offering two methods to deploy Firewall Management Center Virtual to support IPv6 addressing.

The following two distinct custom IPv6 templates are offered, where:

Custom IPv6 template (ARM template) — It is offered to deploy Firewall Management Center Virtual with IPv6 configuration using an Azure Resource Manager (ARM) template that internally refers to a marketplace image on Azure. This template contains JSON files with resources and parameter definitions that you can configure to deploy IPv6-supported Firewall Management Center Virtual. To use this template, see Deploy from Azure Using Custom IPv6 Template with Marketplace Image Reference.

Programmatic deployment is a process of granting access to the VM images on Azure Marketplace to deploy custom templates through PowerShell, Azure CLI, ARM template, or API. You are restricted to deploy these custom templates on VM without providing access to VMs. If you attempt to deploy such custom templates on VM, then the following error message is displayed:

Legal terms have not been accepted for this item on this subscription. To accept legal terms ….and configure programmatic deployment for the Marketplace item …..

You can use one of the following methods to enable Programmatic deployment in Azure to deploy the custom IPv6 (ARM) template refering to the marketplace image:
- Azure Portal – Enable programmatic deployment option corresponding to the Firewall Management Center Virtual offering available on Azure Marketplace for deploying the custom IPv6 template (ARM template).
- Azure CLI – Run the CLI command to enable programmatic deployment for deploying the custom IPv6 (ARM template).
Custom VHD image and IPv6 template (ARM template) — Create a managed image using the VHD image and ARM template on Azure. This process is similar to deploying Firewall Management Center Virtual by using a VHD and resource template. This template refers to a managed image during deployment and uses an ARM template which you can upload and configure on Azure to deploy IPv6-supported Firewall Management Center Virtual. See, Deploy from Azure Using a VHD and Custom IPv6 Template.

The process involved in deploying Firewall Management Center Virtual using custom IPv6 template (ARM template) in reference to marketplace image or VHD image with custom IPv6 template.

The steps involved in deploying the Firewall Management Center Virtual is as follows:

Table 2.

Step

Process

Create a Linux VM in Azure where you are planning to deploy the IPv6-supported Firewall Management Center Virtual

Enable Programmatic deployment option on Azure portal or Azure CLI only when you are deploying Firewall Management Center Virtual using the custom IPv6 template with Marketplace image reference.

Depending on the type of deployment download the following custom templates:

Custom IPv6 Template with Azure Marketplace reference image.

VHD image with custom IPv6 (ARM) template.

Update the IPv6 parameters in the custom IPv6 (ARM) template.

Note

The equivalent Software image version parameter value of the marketplace image version is required only when you are deploying Firewall Management Center Virtual using the custom IPv6 template with Marketplace image reference. You must run a command to retrieve the Software version details.

Deploy the ARM template through Azure portal or Azure CLI.

Deploy from Azure Using Custom IPv6 Template with Marketplace Image Reference

The process involved in deploying Firewall Management Center Virtual using custom IPv6 template (ARM template) in reference to marketplace image.

Procedure

Step 1

Log into the Azure portal.

The Azure portal shows virtual elements associated with the current account and subscription regardless of data center location.

Step 2

Enable Programmatic deployment through Azure portal or Azure CLI as follows:

To enable this option on Azure Portal.

Under Azure Services, click Subscriptions to view the subscription blade page.
On the left pane, click Programmatic Deployment under the Settings option.

All the types of resources deployed on the VM are displayed along with the associated subscription offerings.
Click Enable under the Status column and corresponding to the Firewall Management Center Virtual offering to obtain for programmatic deployment of the custom IPv6 template.

OR

To enable this option through Azure CLI.

Go to the Linux VM.
Run the following CLI command to enable programmatic deployment for deploying custom IPv6 (ARM) template.

During the command execution, you must only accept the terms once per subscription of the image.

# Accept terms
az vm image terms accept -p <publisher> -f <offer> --plan <SKU/plan>
# Review that terms were accepted (i.e., accepted=true)
az vm image terms show -p <publisher> -f <offer> --plan <SKU/plan>
Where,
- <publisher> - 'cisco'.
- <offer> - 'cisco-fmcv'
- <sku/plan> - 'fmcv-azure-byol'
The following is a command script example to enable programmatic deployment for deploying Firewall Management Center Virtual with BYOL subscription plan.
- az vm image terms show -p cisco -f cisco-ftdv --plan fmcv-azure-byol

Step 3

Run the following command to retrieve the Software version details equivalent to the marketplace image version.

az vm image list --all -p <publisher> -f <offer> -s <sku>

Where,

<publisher> - 'cisco'.
<offer> - 'cisco-fmcv'
<sku> - 'fmcv-azure-byol'

The following is a command script example to retrieve the Software version details equivalent to the marketplace image version for Firewall Management Center Virtual.

az vm image list --all -p cisco -f cisco-ftdv -s fmcv-azure-byol

Step 4

Select one of the Firewall Management Center Virtual version from the list of available marketplace image versions that are displayed.

For IPv6 support deployment of Firewall Management Center Virtual, you must select the Firewall Management Center Virtual version as 73* or higher.

Step 5

Download the marketplace custom IPv6 template (ARM templates) from the Cisco GitHub repository.

Step 6

Prepare the parameters file by providing the deployment values in the parameters template file (JSON).

The following table describes the deployment values you need to enter in the custom IPv6 template parameters for Firewall Management Center Virtual custom deployment:

Parameter Name	Examples of allowed Values/Type	Description
vmName	cisco-fmcv	Name the Firewall Management Center Virtual VM in Azure.
softwareVersion	730.33.0	The software version of the marketplace image version.
billingType	BYOL	The licensing method is BYOL or PAYG. BYOL license is more cost effective compared to PAYG, hence it is recommended to opt for BYOL subscribed deployment.
adminUsername	hjohn	The username to log into Firewall Management Center Virtual. You cannot use the reserved name ‘admin’, which is assigned to administrator.
adminPassword	E28@4OiUrhx!	The admin password. Password combination must be an alphanumeric characters with 12 to 72 characters long. The password combination must comprise of lowercase and uppercase letters, numbers and special characters.
vmStorageAccount	hjohnvmsa	Your Azure storage account. You can use an existing storage account or create a new one. The storage account characters must be between three and 24 characters long. The password combination must contain only lowercase letters and numbers.
availabilityZone	0	Specify the availability zone for deployment, public IP and the virtual machine will be created in the specified availability zone. Set it to '0' if you do not need availability zone configuration. Ensure that selected region supports availability zones and value provided is correct. (This must be an integer between 0-3).
ipAllocationMethod	Dynamic	IP allocation from Azure. Static : Manual, Dynamic : DHCP
mgmtSubnetName	mgmt	Management center IP on the mgmt interface (example: 192.168.0.10)
mgmtSubnetIP	10.4.1.15	FMC IP on the mgmt interface (example: 192.168.0.10)
mgmtSubnetIPv6	ace:cab:deca:dddd::c3	FMC IPv6 on the mgmt interface (example: ace:cab:deca:dddd::6)
customData	`{\"AdminPassword\": \"E28@4OiUrhx!\",\"Hostname\": \"cisco-mcv\", \"IPv6Mode\"`	The field to provide in the Day 0 configuration to the Firewall Management Center Virtual. By default it has the following three key-value pairs to configure: 'admin' user password Firewall Management Center Virtual hostname the Firewall Management Center Virtual hostname or CSF-DM for management. 'ManageLocally : yes' - This configures the CSF-DM to be used as Firewall Threat Defense Virtual manager. You can configure the Firewall Management Center Virtual as Firewall Threat Defense Virtual manager and also give the inputs for fields required to configure the same on Firewall Management Center Virtual.
virtualNetworkResourceGroup	cisco-mcv-rg	Name of the resource group containing the virtual network. In case virtualNetworkNewOr Existing is new, this value should be same as resource group selected for template deployment.
virtualNetworkName	cisco-mcv-vnet	The name of the virtual network.
virtualNetworkNewOrExisting	new	This parameter determines whether a new virtual network should be created or an existing virtual network is to be used.
virtualNetworkAddressPrefixes	10.151.0.0/16	IPv4 address prefix for the virtual network, this is required only if 'virtualNetworkNewOrExisting' is set to 'new'.
virtualNetworkv6AddressPrefixes	ace:cab:deca::/48	IPv6 address prefix for the virtual network, this is required only if 'virtualNetworkNewOrExisting' is set to 'new'.
Subnet1Name	mgmt	Management subnet name.
Subnet1Prefix	10.151.1.0/24	Management subnet IPv4 Prefix, this is required only if 'virtualNetworkNewOrExisting' is set to 'new'.
Subnet1IPv6Prefix	ace:cab:deca:1111::/64	Management subnet IPv6 Prefix, this is required only if 'virtualNetworkNewOrExisting' is set to 'new'.
subnet1StartAddress	10.151.1.4	Management interface IPv4 address.
subnet1v6StartAddress	ace:cab:deca:1111::6	Management interface IPv6 address.
Subnet2Name	diag	Data interface 1 subnet name.
Subnet2Prefix	10.151.2.0/24	Data interface 1 Subnet IPv4 prefix, this is required only if 'virtualNetworkNewOrExisting' is set to 'new'.
Subnet2IPv6Prefix	ace:cab:deca:2222::/64	Data interface 1 Subnet IPv6 Prefix, this is required only if 'virtualNetworkNewOrExisting' is set to 'new'.
subnet2StartAddress	10.151.2.4	Data interface 1 IPv4 address.
subnet2v6StartAddress	ace:cab:deca:2222::6	Data interface 1 IPv6 address.
Subnet3Name	inside	Data interface 2 subnet name.
Subnet3Prefix	10.151.3.0/24	Data interface 2 Subnet IPv4 Prefix, this is required only if 'virtualNetworkNewOrExisting' is set to 'new'.
Subnet3IPv6Prefix	ace:cab:deca:3333::/64	Data interface 2 Subnet IPv6 Prefix, this is required only if 'virtualNetworkNewOrExisting' is set to 'new'.
subnet3StartAddress	10.151.3.4	Data interface 2 IPv4 address.
subnet3v6StartAddress	ace:cab:deca:3333::6	Data interface 2 IPv6 address.
Subnet4Name	outside	Data interface 3 subnet name.
Subnet4Prefix	10.151.4.0/24	Data interface 3 subnet IPv4 Prefix, this is required only if 'virtualNetworkNewOrExisting' is set to 'new'
Subnet4IPv6Prefix	ace:cab:deca:4444::/64	Data interface 3 Subnet IPv6 Prefix, this is required only if 'virtualNetworkNewOrExisting' is set to 'new'.
subnet4StartAddress	10.151.4.4	Data interface 3 IPv4 Address.
subnet4v6StartAddress	ace:cab:deca:4444::6	Data interface 3 IPv6 Address.
vmSize	Standard_D4_v2	Size of the Firewall Management Center Virtual VM. Standard_D4_v2 is the default.

Step 7

Use the ARM template to deploy Firewall Management Center Virtual firewall through the Azure portal or Azure CLI. For information about deploying the ARM template on Azure, refer to the following Azure documentation:

What to do next

Your next steps depend on what management mode you chose.

If you chose No for Enable Local Manager, you'll use the Secure Firewall Management Center to manage your Firewall Threat Defense Virtual; see Managing the Secure Firewall Threat Defense Virtual with the Secure Firewall Management Center.
If you chose Yes for Enable Local Manager, you'll use the integrated Secure Firewall Device Manager to manage your ; see Managing the Secure Firewall Threat Defense Virtual with the Secure Firewall device manager.

See How to Manage Your Secure Firewall Threat Defense Virtual Device for an overview of how to choose your management option.

Verify that your management center virtual deployment was successful. The Azure Dashboard lists the new management center virtual VM under Resource Groups, along with all of the related resources (storage, network, route table, etc.).

Deploy from Azure Using a VHD and Custom IPv6 Template

You can create your own custom Firewall Management Center Virtual images using a compressed VHD image available from Cisco. This process is similar to deploying Firewall Management Center Virtual by using a VHD and resource template.

Before you begin

You need the JSON template and corresponding JSON parameter file for your Firewall Management Center Virtual deployment using VHD and ARM updated template on Github, where you'll find instructions on how to build a template and parameter file.
This procedure requires an existing Linux VM in Azure. We recommended you use a temporary Linux VM (such as Ubuntu 16.04) to upload the compressed VHD image to Azure. This image will require about 50GB of storage when unzipped. Also, your upload times to Azure storage will be faster from a Linux VM in Azure.

If you need to create a VM, use one of the following methods:
- Create a Linux virtual machine with the Azure CLI
- Create a Linux virtual machine with the Azure portal
In your Azure subscription, you should have a storage account available in the Location in which you want to deploy the Firewall Management Center Virtual.

Procedure

Step 1

Download the Firewall Management Center Virtual compressed VHD image (*.bz2) from the Cisco Download Software page:

Navigate to Products > Security > Firewalls > Firewall Management > Secure Firewall Management Center Virtual.
Click Firepower Management Center Software.

Follow the instructions for downloading the image.

Cisco_Secure_Firewall_Threat_Defense_Virtual-X.X.X-xxx.vhd.bz2

For example, Cisco_Secure_FW_Mgmt_Center_Virtual_Azure-7.3.0-69.vhd.bz2

Step 2

Perform the deployment steps provided in the Deploy from Azure Using a VHD and Resource Template.

Step 3

Click Edit parameters at the top of the Custom deployment page. You have a parameters template that is available for customizing.

Click Load file and browse to the customized Firewall Management Center Virtual parameter file. See the sample for the Azure Firewall Management Center Virtual deployment using VHD and custom IPv6 (ARM) template on Github, where you'll find instructions on how to build a template and parameter file.
Paste your customized JSON parameters code into the window, and then click Save.

The following table describes the deployment values you need to enter in the custom IPv6 template parameters for Firewall Management Center Virtual deployment:

Parameter Name	Examples of allowed values/types	Description
vmName	cisco-fmcv	Name the Firewall Management Center Virtual VM in Azure.
vmImageId	/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/ Microsoft.Compute/images/{image-name	The ID of the image used for deployment. Internally, Azure associates every resource with a Resource ID.
adminUsername	hjohn	The username to log into Firewall Management Center Virtual. You cannot use the reserved name ‘admin’, which is assigned to administrator.
adminPassword	E28@4OiUrhx!	The admin password. Password combination must be an alphanumeric characters with 12 to 72 characters long. The password combination must comprise of lowercase and uppercase letters, numbers and special characters.
vmStorageAccount	hjohnvmsa	Your Azure storage account. You can use an existing storage account or create a new one. The storage account characters must be between three and 24 characters long. The password combination must contain only lowercase letters and numbers.
availabilityZone	0	Specify the availability zone for deployment, public IP and the virtual machine will be created in the specified availability zone. Set it to '0' if you do not need availability zone configuration. Ensure that selected region supports availability zones and value provided is correct. (This must be an integer between 0-3).
customData	`{\"AdminPassword\": \"E28@4OiUrhx\",\"Hostname\": \"cisco-mcv\", \"IPv6Mode\": \"DHCP\"}`	The field to provide in the Day 0 configuration to the Firewall Management Center Virtual. By default it has the following three key-value pairs to configure: 'admin' user password CSF-MCv hostname the CSF-MCv hostname or CSF-DM for management. 'ManageLocally : yes' - This configures the CSF-DM to be used as Firewall Threat Defense Virtual manager. You can configure the CSF-MCv as Firewall Threat Defense Virtual manager and also give the inputs for fields required to configure the same on CSF-MCv.
virtualNetworkResourceGroup	cisco-fmcv	Name of the resource group containing the virtual network. In case virtualNetworkNewOr Existing is new, this value should be same as resource group selected for template deployment.
virtualNetworkName	cisco-mcv-vnet	The name of the virtual network.
ipAllocationMethod	Dynamic	IP allocation from Azure. Static : Manual, Dynamic : DHCP
mgmtSubnetName	mgmt	Management center IP on the mgmt interface (example: 192.168.0.10)
mgmtSubnetIP	10.4.1.15	FMC IP on the mgmt interface (example: 192.168.0.10)
mgmtSubnetIPv6	ace:cab:deca:dddd::c3	FMC IPv6 on the mgmt interface (example: ace:cab:deca:dddd::6)
virtualNetworkNewOrExisting	new	This parameter determines whether a new virtual network should be created or an existing virtual network is to be used.
virtualNetworkAddressPrefixes	10.151.0.0/16	IPv4 address prefix for the virtual network, this is required only if 'virtualNetworkNewOr Existing' is set to 'new'.
virtualNetworkv6AddressPrefixes	ace:cab:deca::/48	IPv6 address prefix for the virtual network, this is required only if 'virtualNetworkNewOr Existing' is set to 'new'.
Subnet1Name	mgmt-ipv6	Management subnet name.
Subnet1Prefix	10.151.1.0/24	Management subnet IPv4 Prefix, this is required only if 'virtualNetworkNewOr Existing' is set to 'new'.
Subnet1IPv6Prefix	ace:cab:deca:1111::/64	Management subnet IPv6 Prefix, this is required only if 'virtualNetworkNewOr Existing' is set to 'new'.
subnet1StartAddress	10.151.1.4	Management interface IPv4 address.
subnet1v6StartAddress	ace:cab:deca:1111::6	Management interface IPv6 address.
Subnet2Name	diag	Data interface 1 subnet name.
Subnet2Prefix	10.151.2.0/24	Data interface 1 Subnet IPv4 prefix, this is required only if 'virtualNetworkNewOr Existing' is set to 'new'.
Subnet2IPv6Prefix	ace:cab:deca:2222::/64	Data interface 1 Subnet IPv6 Prefix, this is required only if 'virtualNetworkNewOr Existing' is set to 'new'.
subnet2StartAddress	10.151.2.4	Data interface 1 IPv4 address.
subnet2v6StartAddress	ace:cab:deca:2222::6	Data interface 1 IPv6 address.
Subnet3Name	inside	Data interface 2 subnet name.
Subnet3Prefix	10.151.3.0/24	Data interface 2 Subnet IPv4 Prefix, this is required only if 'virtualNetworkNewOr Existing' is set to 'new'.
Subnet3IPv6Prefix	ace:cab:deca:3333::/64	Data interface 2 Subnet IPv6 Prefix, this is required only if 'virtualNetworkNewOr Existing' is set to 'new'.
subnet3StartAddress	10.151.3.4	Data interface 2 IPv4 address.
subnet3v6StartAddress	ace:cab:deca:3333::6	Data interface 2 IPv6 address.
Subnet4Name	outside	Data interface 3 subnet name.
Subnet4Prefix	10.151.4.0/24	Data interface 3 subnet IPv4 Prefix, this is required only if 'virtualNetworkNewOr Existing' is set to 'new'
Subnet4IPv6Prefix	ace:cab:deca:4444::/64	Data interface 3 Subnet IPv6 Prefix, this is required only if 'virtualNetworkNewOr Existing' is set to 'new'.
subnet4StartAddress	10.151.4.4	Data interface 3 IPv4 Address.
subnet4v6StartAddress	ace:cab:deca:4444::6	Data interface 3 IPv6 Address.
vmSize	Standard_D4_v2	Size of the Firewall Management Center Virtual VM. Standard_D4_v2 is the default.

Step 4

What to do next

Deploy the Azure Marketplace offers in the restricted Azure Private Marketplace environment

Virtual Machine Offers and Plans (hidden):

Publisher ID: cisco
Cisco Secure Firewall Management Center Virtual VM Offers (used for both the Cisco Secure Firewall Management Center Virtual Application offers)
- Offer ID: cisco-fmcv
- BYOL Plan ID: fmcv-azure-byol
Cisco Firepower Management Center 300 Virtual
- Offer ID: cisco-fmcv300
- BYOL Plan ID: fmcv300-azure-byol

When user deploys the visible application offer from Marketplace, corresponding image from the VM offer plan is referenced and deployed.

Therefore, for the deployment to work, both Application and VM offers needs to be enabled/available on the Private Marketplace for the Azure tenant/subscription.

Refer the Azure documentation for enabling these application and VM offers in private marketplaces.

Application offers are easily enabled via Azure UI as they are visible in the marketplace.

In order to enable hidden virtual machine offers in private marketplace, you might have to rely on CLI commands (at the time of this doc creation only CLI way is possible).

Sample command:

Cisco Secure Firewall Management Center Virtual BYOL plan can be enabled using similar sample command given below:

$Params = @{
  privateStoreId = ‘<private-store-id>’
  offerId = ‘<publisher-id>.<vm-offer-id>’
  SpecificPlanIdsLimitation =@(‘<plan-id-under-vm-offer>’)
}
Set-AzMarketplacePrivateStoreOffer @Params

$Params = @{
  privateStoreId = ‘<private-store-id>’
  offerId = ‘cisco.cisco-fmcv’
  SpecificPlanIdsLimitation =@(‘fmcv-azure-byol’)
}
Set-AzMarketplacePrivateStoreOffer @Params

Note

The sample command is only for reference, check Azure documentation for more details.

Reference Error message

{
  "code": "MarketplacePurchaseEligibilityFailed",
  "details": [
    {
      "code": "BadRequest",
      "message": "Offer with PublisherId: 'cisco', OfferId: 'cisco-XXXX' cannot be purchased due to validation errors. For more information see details. 
Correlation Id: 'XXXXX` 
This plan is not available for purchase because it needs to be added to your tenant's Private Marketplace. Contact your admin to request adding the plan. 
Link to plan: <URL>. 
Plan: '<PLAN NAME>'(planId=<VM-OFFER-PLAN-ID>), 
Offer: <OFFER_NAME>, Publisher: 'Cisco Systems, Inc.'(publisherId='cisco').
…
…
    }
  ],
  "message": "Marketplace purchase eligibilty check returned errors. See inner errors for details. "
}

User may run into the above error while deploying the Marketplace offer. To resolve this, both Application and VM offers need to be enabled/available on the Azure tenant/subscription.

Verify the Firewall Management Center Virtual Deployment

After the Firewall Management Center Virtual VM is created, the Microsoft Azure Dashboard lists the new Firewall Management Center Virtual VM under Resource groups. The corresponding storage account and network resources also are created and listed. The Dashboard provides a unified view of your Azure assets, and provides an easy, at-a-glance assessment of the health and performance of the Firewall Management Center Virtual.

Before you begin

The Firewall Management Center Virtual VM is started automatically. During deployment the status is listed as "Creating" while Azure creates the VM, and then the status changes to "Running" once the deployment is complete.

Note

Remember that deployment times vary in Azure, and the total time until the Firewall Management Center Virtual is usable is approximately 30 minutes, even when the Azure Dashboard shows the status of the Firewall Management Center Virtual VM as "Running".

Procedure

Step 1

To view the Firewall Management Center Virtual resource group and its resources after deployment is completed, from the left menu pane, click Resource groups to access the Resource groups page.

The following figure shows an example of a Resources groups page in the Microsoft Azure portal. Notice the Firewall Management Center Virtual VM as well as its corresponding resources (storage account, network resources, etc.).

Figure 2. Azure Firewall Management Center Virtual Resource Group Page

Step 2

To view details of the Firewall Management Center Virtual VM associated with the resource group, click the name of the Firewall Management Center Virtual VM.

The following figure shows an example of the Virtual machine overview page associated with the Firewall Management Center Virtual VM. You access this overview from the Resources groups page.

Observe that the status is Running. You can stop, start, restart, and delete the Firewall Management Center Virtual VM from the Virtual machine page in the Microsoft Azure portal. Note that these controls are not graceful shutdown mechanisms for the Firewall Management Center Virtual; see Guidelines and Limitations for graceful shutdown information.

Step 3

From the Virtual machine page, find the Public IP address assigned to the Firewall Management Center Virtual.

Note

You can hover over the IP address and select Click to copy to copy the IP address.

Step 4

Direct your browser to https://public_ip/, where public_ip is the IP address assigned to the Firewall Management Center Virtual’s management interface when you deployed the VM.

The login page appears.

Step 5

What to do next

We recommend that you complete some administrative tasks that make your deployment easier to manage, such as creating users and reviewing health and system policies. Refer to Firewall Management Center Virtual Initial Administration and Configuration for an overview how to get started.
You should also review your device registration and licensing requirements.
For information on how you can begin to configure your system, see the complete Secure Firewall Management Center Configuration Guide for your software version.

Monitoring and Troubleshooting

This section includes general monitoring and troubleshooting guidelines for the Firewall Management Center Virtual appliance deployed in Micosoft Azure. Monitoring and troubleshooting can relate to either the deployment of the VM in Azure, or the Firewall Management Center Virtual appliance itself.

Azure Monitoring of the VM Deployment

Azure provides a number of tools under the Support + troubleshooting menu that provide quick access to tools and resources to help you diagnose and resolve issues and receive additional assistance. Two items of interest include:

Boot diagnostics—Allows you to see the state of your Firewall Management Center Virtual VM as it boots up. The boot diagnostics collects serial log information from the VM as well as screen shots. This can help you to diagnose any startup issues.
Serial console—The VM serial console in the Azure portal provides access to a text-based console. This serial connection connects to the COM1 serial port of the virtual machine, providing serial and SSH access to the Firewall Management Center Virtual's command line interface using the public IP address assigned to the Firewall Management Center Virtual.

Firewall Management Center Virtual Monitoring and Logging

Troubleshoots and general logging operatations follow the same procedures as current Firewall Management Center and Firewall Management Center Virtual models. Refer to the System Monitoring and Troubleshooting section of the Secure Firewall Management Center Configuration Guide for your version.

In addition, the Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. As such, the following are important logs for troubleshooting:

/var/log/waagent.log—This log will have any errors from the Firewall Management Center provisioning with Azure.
/var/log/firstboot.S07install_waagent—This log will have any errors from the waagent installation.

Azure Provisioning Failures

Provisioning errors using the Azure Marketplace solution template are uncommon. However, should you encounter a provisioning error, keep the following points in mind:

Azure has a 20 minute timeout for the virtual machine to provision with the waagent, at which point it is rebooted.
If the Firewall Management Center has trouble provisioning for any reason, the 20 minute timer tends to end in the middle of the Firewall Management Center database initialization, likely resulting in a deployment failure.
If the Firewall Management Center fails to provision in 20 minutes, we recommend that you start over.
You can consult the /var/log/waagent.log for troubleshooting information.
If you see HTTP connection errors in the serial console, this suggests that the waagent cannot communicate with the fabric. You should review your network settings upon redeploy.

Feature History


Feature Name	Releases	Feature Information
Deploy the Firewall Management Center Virtual on the Microsoft Azure public cloud.	6.4.0	Initial support.

Cisco Secure Firewall Management Center Virtual Getting Started Guide

Bias-Free Language

Results

Chapter: Deploy the Firewall Management Center Virtual on Azure

Deploy the Firewall Management Center Virtual on Azure

Overview

Firewall Management Center Virtual Requires 28 GB RAM for Upgrade (6.6.0+)

Deprecated VM Sizes

Resizing VM

Prerequisites

Guidelines and Limitations

Supported Features

Licensing

System Shut Down and Restart

Unsupported Features

Resources Created During Deployment

Deploy the Firewall Management Center Virtual

Deploy from Azure Marketplace Using the Solution Template

Procedure

Example:

What to do next

Deploy from Azure Using a VHD and Resource Template

Before you begin

Procedure

What to do next

Deploy the Azure Marketplace offers in the restricted Azure Private Marketplace environment

Deploy the IPv6 Supported Secure Firewall Management Center Virtual on Azure

About IPv6 Supported Deployment on Azure

Deploy from Azure Using Custom IPv6 Template with Marketplace Image Reference

Procedure

What to do next

Deploy from Azure Using a VHD and Custom IPv6 Template

Before you begin

Procedure

What to do next

Deploy the Azure Marketplace offers in the restricted Azure Private Marketplace environment

Verify the Firewall Management Center Virtual Deployment

Before you begin

Procedure

What to do next

Monitoring and Troubleshooting

Azure Monitoring of the VM Deployment

Firewall Management Center Virtual Monitoring and Logging

Azure Provisioning Failures

Feature History

Was this Document Helpful?

Contact Cisco