Deploy Cluster Nodes Manually - NLB-based Deployment

Deploy the cluster nodes so they form a cluster.

Procedure

Step 1

Log into the Azure Portal: https://portal.azure.com

Step 2

Create a Resource Group.

  1. In the Basics tab, choose the Subscription and Resource Group from the drop-down lists.

  2. Choose the required Region.

Step 3

Create a Virtual Network with the necessary subnets: Management, Inside, Outside and Cluster Control Link (CCL).

Note

Configure the CCL with the smallest subnet mask as required. Wider subnets can impact performance.

See the Azure document for creating the Virtual Network and subnet: https://learn.microsoft.com/en-us/azure/virtual-network/quickstart-create-virtual-network?tabs=portal

Step 4

Go to the Marketplace and search for Cisco Secure Firewall Threat Defense Virtual – BYOL and PAYG and click Create.

Step 5

Fill the required details and choose Yes for Is this VM going to be part of Cluster?

Paste the following cluster-related configuration in the text box.

"Cluster": {
"CclSubnetRange": "ip_address_start ip_address_end",	//mandatory user input
"ClusterGroupName": "cluster_name"	//mandatory user input
}

Step 6

Click Next and select the Virtual Network & Subnets.

If the diagnostic interface is enabled, user can attach maximum of four interfaces while deploying the Threat Defense Virtual VM. If the diagnostic is disabled, user can attach maximum of three interfaces while deploying the Threat Defense Virtual instance. So, the user must attach the extra interface for the cluster related communication after deploying the Threat Defense Virtual VM.

Step 7

Click Review + create. Wait until the Threat Defense Virtual deployment is completed.

Step 8

Power off the Threat Defense Virtual VM.

Step 9

Create a new interface using the CCL subnet and attach it to the Threat Defense Virtual VM. See the Azure document to create and attach new interface to the existing VM: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface-vm

Step 10

Power On the Threat Defense Virtual VM.

Step 11

Connect to the Threat Defense Virtual device and use the show cluster info command to confirm the cluster formation is successful.

> show cluster info 
Cluster ngfwv-cluster: On
    Interface mode: individual
Cluster Member Limit : 16
    This is "4" in state CONTROL_NODE
        ID        : 0
        Version   : 9.23(1)
        Serial No.: 9AC1VMGJKAQ
        CCL IP    : 1.1.1.4
        CCL MAC   : 6045.bda8.e07b
        Module    : NGFWv
        Resource  : 4 cores / 14336 MB RAM
        Last join : 05:22:55 UTC Jul 14 2025
        Last leave: N/A
Other members in the cluster:
    There is no other unit in the cluster
>

Step 12

Add the control node to the Management Center. See Add the Cluster to the Management Center (Manual Deployment).