Deploy a Threat Defense Device on Google Cloud Platform
Before you begin
When you perform this procedure, Security Cloud Control creates the threat defense virtual as part of the onboarding wizard. You cannot use this procedure with physical threat defense device or a device that is already onboarded to Security Cloud Control.
The following prerequisites must be met prior to onboarding a threat defense that is currently associated with a Google Cloud Platform (GCP) environment:
-
You must have cloud-delivered Firewall Management Center enabled for your tenant.
-
You must have a GCP account and already have a project created. See GCP documentation for more information.
-
Management interfaces (2) — One used to connect the threat defense virtual to the management center, second used for diagnostics; cannot be used for through traffic.
Traffic interfaces (2) — Used to connect the threat defense virtual to inside hosts and to the public network. See Create VPC Networks for GCP for more information.
-
You must enable all of the following permissions in the GCP environment in order to successully communicate with and onboard to Security Cloud Control:
deploymentmanager.deployments.create deploymentmanager.deployments.get compute.networks.list
Procedure
Step 1 | Log in to Security Cloud Control. |
Step 2 | In the navigation pane, click Inventory and click the blue plus button (+) to add a new device. |
Step 3 | Select the FTD tile. |
Step 4 | Under Management Mode, select FTD. |
Step 5 | Select Use GCP VPC as the onboarding method. |
Step 6 | IF you have not authenticated your GCP environment with Security Cloud Control before this point, copy the bash command that Security Cloud Control generates and run it on your bash environment or on the Google Cloud Shell to authenticate your GCP account and allow communication between the applications. IF you have already authenticated your GCP account prior, ignore the account integration steps and click Next. |
Step 7 | Use the drop-down menu to select the GCP project you want to associate with the device you are going to onboard. If there are no projects immeidately available, click + Link New Project. If you click + Link New Project, follow these steps:
|
Step 8 | Click Next. |
Step 9 | Use the drop-down menus to select the following paramters and click Next:
|
Step 10 | Enter a name for the threat defense device in the Device Name field and click Next. |
Step 11 | In the Policy Assignment step, use the drop-down menu to select an access control policy to deploy once the device is onboarded. If you have no policies configured in the cloud-delivered Firewall Management Center associated with your Security Cloud Control tenant, select the Default Access Control Policy. |
Step 12 | Select the Subscription Licenses you want applied to the device. You must have at least the URL license selected for virtual threat defense devices. |
Step 13 | Click Complete Onboarding. |
What to do next
Navigate to the Inventory page to view the progress of the device registration there. Once the device is synchronized, we strongly recommend cross-launching to cloud-delivered Firewall Management Center and customize your access control policy and device status.