Create a Cisco Threat Defense Virtual Firewall VNF

Device Connectivity Management

This topic explains how to create and operate Cisco Threat Defense Virtual firewall (formerly FTDv/NGFWv) device. See Cisco VNF Specifications for CPU, Memory, Software Package and other information about the Threat Defense Virtual device.

Licensing

Obtain a license from the vendor device reseller for a Threat Defense Virual device. Bring Your Own License (BYOL) is the only available option for this virtual device. The license needs to be registered manually after the device is created. Threat Defense Virtual supports Smart License from Cisco. See Cisco Secure Firewall Management Center Feature Licenses for more information.

Deployment Type

There are three deployment types available for VM-Series Firewall.

Deployment Type Description
Single Workflow to provision a single device, which operates as standalone devices. Another single device can be paired with the existing single device (requires same resource configuration) to form a local redundancy (redundancy in single metro) or geo-redundancy (each device operates in different metro).
Redundant

Workflow to provision two firewall devices. Each device operates individually, and you are responsible for configuring those in an Active-Active fashion. You have the option of deploying both devices in two different metros (recommended) to achieve distributed architecture or keep both devices in the same metro.

Cluster Workflow to provision two firewall devices with Active-Standby redundancy in a single metro. (No geo-redundancy option available.)

Create a Threat Defense Virtual Firewall

  1. Sign in to the Network Edge Marketplace. If the Identity and Access Management (IAM) feature is enabled for your account, make sure to switch to the intended Project Name/ID before proceeding to the device creation workflow.
  2. Click Select and Continue on the Cisco Next Generation Firewall card to start the device creation workflow.

    Note: Click View Details on the card to see a preview of the configuration options available for this virtual device.
  3. Select Deployment Type (Single, Redundant and Cluster device). If you select Redundant Device, follow the workflow and select the Redundancy option. (Create a new pair of redundant devices or add an additional device to an existing device.)

    Note: The Cluster deployment option for this VNF is only available for the Without Equinix Public IP Address connectivity type.

  4. In the Select Edge Device Location section, click a location.

  5. In the Account section, select a billing account from the Your accounts in this metro drop-down.

    Note: Metro selection is linked to your billing account country. For example, if you select Silicon Valley for deployment metro, your will need to have a billing account in the United States. If you need to deploy the VNF to a different metro such as Tokyo, you need to create a billing account in Japan.

    If you do not have a billing account for the selected metro, a message will display.

    To create a billing account, click Go to Account Management, and then click Create New Billing Account. Without selecting an account, you will not be able to create your device. For more information, see Billing Account Management.

  6. In the Connectivity Type section (available in the 2023.4 release), select either With Equinix Public IP Address or Without Equinix Public IP Address. For more information, see the Connectivity Type section to determine which connectivity type is right for your deployment.

  7. In the Licensing section, select Bring Your Own License.

    Note: The Subscription option is not currently available for this VNF type.

  8. In the Device Resources section, select the virtual machine resource type, along with the Software Package and Software Version. See Cisco VNF Specifications for more information.

  9. In the Device Details section, enter:

    • Device Name – Enter a name for the device to be used in the Network Edge portal.
    • Host Name Prefix – Enter a host name prefix for the VNF.
    • Click to see the naming rules.
    • Device Management – Select your device management type.
      • FMC (Firewall Management Center) – Enter the FMC’s IP Address as the Controller IP Address, and the Registration Key. The registration key is used to register the device to the FMC.
      • FDM (Firepower Device Manager)
      • CDO (Cisco Defense Orchestrator)

  10. In the Interfaces section, keep the default number of interfaces available on the VNF. If you select the With Equinix Public IP Address connectivity option, you can automatically map WAN/SSH interfaces to the next available interface, or manually select a specific interface for WAN/SSH use. WAN/SSH interface provides Internet access. For the Without Equinix Public IP Address option, you do not have a WAN/SSH interface available for mapping.

  11. In the Device Status Notifications box, enter the email addresses of anyone who should receive email notifications regarding device status.

  12. Note: We strongly recommend adding multiple email addresses so that more than one user receives any notification for this device.

  13. (Optional) In the Optional Details box, enter the Purchase Order Number and Order Reference/Identifier.
  14. In the Term Length drop-down menu, select a term length.
  15. Click Next: Additional Services to add additional services. Additional Services options are based on connectivity type.
  16. Configuration With Equinix Public IP Address Without Equinix Public IP Address
    Access Control List Template ü N/A
    Additional Internet Bandwidth ü N/A
    • Add Access Control List Templates – Select an access control list (ACL) template. This template will be applied to the gateway interface connected to the WAN/SSH interface of your VNF. ACL templates control communication from the Internet. For more information, see the ACL documentation. This option is available only for the With Equinix Public IP Address connectivity option. If the FMC option is selected as management software, the Controller IP address entered as FMC’s IP address will be configured in the default ACL. You do not need to allow this controller IP Address in the ACL template. This option is only available for the With Equinix Public IP Address connectivity option. ACL template configuration is not available for connectivity type With Equinix Public IP Address.
    • Note: By default, the communication required for initial bootstrap (DNS, NTP, License Server communication, SD-WAN controller communication, etc.) is allowed to properly configure the initial VNF configuration. Additional protocols such as SSH need to be intentionally permitted using an ACL template (Custom ACL). If you need to create a template to apply to your device, click Create Access Control List Template. See Configure Access Controls on Virtual Devices for more information.

    • Additional Internet Bandwidth – Add between 25 and 5000 additional Mbps of internet bandwidth (for a fee). 15 Mbps of Internet Bandwidth is included free in the package by default. This option is available only for With Equinix Public IP Address connectivity option.
  1. Click Next: Review.
  2. In the Terms & Conditions box, click Review and Accept Order Terms.
  3. Select I have read and understand these terms and click Accept.
  4. Click Create Virtual Device.

Important: Your device will be assigned an external IP address for reachability when the With Equinix Public IP Address connectivity option is selected. If you change the configuration, you could experience connectivity issues.

Connectivity Type

Connectivity Type feature is available for the Cisco Threat Defense Virtual Firewall VNF. This feature provides options to include a virtual interface with a Public IP address from Equinix or not. This helps in cases where a VNF needs to be separated from the Internet. You can manage virtual devices from their private network or virtual connection, not from the Internet.

Note: The Connectivity Type option is only available when provisioning a new device. This option can’t be enabled for devices provisioned before 2023.4 release.

The following table summarizes connectivity type options and the difference between the two options.

Connectivity Type With Equinix Public IP Address Without Equinix Public IP Address
Use Cases This option comes with Public IP Addresses from Equinix and does not require an additional Virtual Connection to manage the virtual device. This option removes Equinix-sourced Public IP Address assignment and will segregate the VNF from the Internet after the device creation. If the device needs to be managed by software running in the Colo cage or through a private virtual connection, this option is recommended.
Internet Connectivity

Public IP addresses from Equinix are assigned to the following interfaces and accessible from the Internet:

  • Management (MGMT)

  • Ethernet 1/1 (WAN)

No public IP Address from Equinix included. This option requires a separate virtual connection from your Network Service Provider (NSP) or Internet Service Provider (ISP). See Bring Your Own Connection - Remote Fabric Port for more information.
Access Control List Create an Access Control List (ACL) to limit traffic to the VNF Management (MGMT) or WAN interface. The ACL option is not available. Additional compensating controls can be implemented for traffic from any private virtual connection.
SSH Access Unlike the other VNF types, we do not provide username and RSA Public Key configuration settings for SSH access during the device creation workflow. Use console access from the device details page. Unlike the other VNF types, we do not provide username and RSA Public Key configuration settings for SSH access during device creation workflow.Use console access from the device details page.
Device Manageability During device creation, select the management type: FMC, FDM, or CDO. If you FMC select, you need to provide FMC’s IP Address and Registration Key. A virtual connection (via the BYOC option) must first be assigned to the Management (MGMT) interface for FMC, FDM or CDO access. If you FMC select, you need to provide FMC’s IP Address and Registration Key.
License Registration Manually register the license after the device is created. Manually register the license after the device is created. You are responsible for registering the license using Internet access through a private virtual connection.
Clustering Setup The cluster option is not available for this connectivity type. Users are required to configure cluster devices manually.

Set Up Cisco Threat Defense Virtual Firewall without Equinix Public IP Address

When the connectivity type Without Equinix Public IP Address is selected, the VNF is provisioned without a public IP Address on the WAN or Management interface. You are responsible for configuring the license registration, overlay network configuration, and clustering (optional).

Management Interface Configuration

The following is a sample, reference only configuration for management interface setup.

Commands
configure network ipv4 manual <IP Address> <Mask> <Default Gateway>