Deploy Cluster Nodes Manually - GWLB-based Deployment

Deploy the cluster nodes so they form a cluster.

Procedure

Step 1

Log into the Azure Portal: https://portal.azure.com

Step 2

Create a Resource Group.

  1. In the Basics tab, choose the Subscription and Resource Group from the drop-down lists.

  2. Choose the required Region.

Step 3

Create a Virtual Network with the necessary subnets: Management, Data and Cluster Control Link (CCL).

Note

Configure the CCL with the smallest subnet mask as required. Wider subnets can impact performance.

See the Azure document for creating the Virtual Network and subnet: https://learn.microsoft.com/en-us/azure/virtual-network/quickstart-create-virtual-network?tabs=portal

Step 4

Go to the Marketplace and search for Cisco Secure Firewall Threat Defense Virtual – BYOL and PAYG and click Create.

Step 5

Fill the required details and choose Yes for Is this VM going to be part of Cluster?

Paste the following cluster-related configuration in the text box.

"Cluster": {
"CclSubnetRange": "ip_address_start ip_address_end",	//mandatory user input
"ClusterGroupName": "cluster_name",	//mandatory user input
"HealthProbePort": "port_number",	//mandatory user input
"GatewayLoadBalancerIP": "ip_address",	 //mandatory user input
"EncapsulationType": "vxlan",
"InternalPort": "internal_port_number",
"ExternalPort": "external_port_number",
"InternalSegId": "internal_segment_id",
"ExternalSegId": "external_segment_id"
}

Step 6

Click Next and select the Virtual Network & Subnets.

Ensure GigabitEthernet 0/1 subnet is configured with the CCL subnet.

Step 7

Click Review + create. Wait until the Threat Defense Virtual deployment is completed.

Step 8

Connect to the Threat Defense Virtual device and use the show cluster info command to confirm the cluster formation is successful.

> show cluster info 
Cluster ngfwv-cluster: On
    Interface mode: individual
Cluster Member Limit : 16
    This is "4" in state CONTROL_NODE
        ID        : 0
        Version   : 9.23(1)
        Serial No.: 9AC1VMGJKAQ
        CCL IP    : 1.1.1.4
        CCL MAC   : 6045.bda8.e07b
        Module    : NGFWv
        Resource  : 4 cores / 14336 MB RAM
        Last join : 05:22:55 UTC Jul 14 2025
        Last leave: N/A
Other members in the cluster:
    There is no other unit in the cluster
>

Step 9

Configure the Azure Gateway Load Balancer. See Auto Scale with Azure Gateway Load Balancer Use Case for more information.

Step 10

Add the control node to the Firewall Management Center. See Add the Cluster to the Management Center (Manual Deployment).