Deploy the Stack in AWS Using a CloudFormation Template

Deploy the stack in AWS using the customized CloudFormation template.

Before you begin

  • You need a Amazon Linux virtual machine with Python 3.

  • To allow the cluster to auto-register with the management center, you need to create two users with administrative privileges on the management center that can use the REST API. See the Cisco Secure Firewall Management Center Administration Guide.

  • Add an access policy in the management center that matches the name of the policy that you specified in Configuration.json.

Procedure


Step 1

Prepare the template.

  1. Clone the GitHub repository to your local folder. See https://github.com/CiscoDevNet/cisco-ftdv/tree/master/cluster/aws.

  2. Modify infrastructure.yaml and deploy_ngfw_cluster.yaml with the required parameters.

  3. Modify cluster/aws/lambda-python-files/Configuration.json with initial settings.

    For example:

    
    {
      "licenseCaps": ["BASE", "MALWARE", "THREAT"],
      "performanceTier": "FTDv50",
      "fmcIpforDeviceReg": "DONTRESOLVE",
      "RegistrationId": "cisco",
      "NatId": "cisco",
      "fmcAccessPolicyName": "AWS-ACL"
    }
    
    • Keep the fmcIpforDeviceReg setting as DONTRESOLVE.

    • The fmcAccessPolicyName needs to match an access policy on the management center.

    Note

    FTDv5 and FTDv10 tiers are not supported.

  4. Create a file named cluster_layer.zip to provide essential Python libraries to Lambda functions.

    We recommend to use the Amazon Linux with Python 3.9 installed to create the cluster_layer.zip file.

    Note

    If you need an Amazon Linux environment, you can create an EC2 instance using Amazon Linux 2023 AMI or use AWS Cloudshell, which runs the latest version of Amazon Linux.

    For creating the cluster-layer.zip file, you need to first create requirements.txt file that consists of the python library package details and then run the shell script.

    1. Create the requirements.txt file by specifying the python package details.

      The following is the sample package details that you provide in the requirements.txt file:

      $ cat requirements.txt 
      pycryptodome
      paramiko
      requests
      scp
      jsonschema
      cffi
      zipp
      importlib-metadata
    2. Run the following shell script to create cluster_layer.zip file.

      $ pip3 install --platform manylinux2014_x86_64 
      --target=./python/lib/python3.9/site-packages 
      --implementation cp --python-version 3.9 --only-binary=:all: 
      --upgrade -r requirements.txt
      $ zip -r cluster_layer.zip ./python
    Note

    If you encounter a dependency conflict error during installation, such as urllib3 or cryptography, it is recommended that you include the conflicting packages along with their recommended versions in the requirements.txt file. After that, you can run the installation again to resolve the conflict.

  5. Copy the resulting cluster_layer.zip file to the lambda python files folder - cluster/aws/lambda-python-files.

  6. Create the cluster_layer.zip, custom_metrics_publisher.zip, cluster_manger.zip and lifecycle_ftdv.zip files.

    A make.py file can be found in the cloned repository (cluster/aws/make.py). This will zip the python files into a Zip file and copy to a target folder.

    python3 make.py build

Step 2

Deploy infrastructure.yaml and note the output values for cluster deployment. Before deploying the infrastructure stack, it is important to identify the AWS region and the availability zones that will be used. Each AWS region has a different set of availability zones and VPC infrastructure, therefore it is essential to select the correct region and availability zones for your deployment.

  1. On the AWS Console, go to CloudFormation and click Create stack; select With new resources(standard).

  2. Select Upload a template file, click Choose file, and select infrastructure.yaml from the target folder.

  3. Click Next and provide the required information.

  4. Enter a unique Cluster Name and Cluster Number for the cluster.

  5. Select the availability zone from the Availability Zone list. This field lists only availability zones based on the AWS region that you select for deploying the infrastructure stack using the ClusterFormation template.

  6. Click Next, then Create stack.

  7. After the deployment is complete, go to Outputs and note the S3 BucketName.

Output of infrastructure.yaml
Output of infrastructure.yaml

Step 3

Upload cluster_layer.zip, cluster_manager.zip, custom_metrics_publisher.zip, and cluster_lifecycle.zip to the S3 bucket created by infrastructure.yaml.

S3 Bucket
S3 Bucket

Step 4

Deploy deploy_ngfw_cluster.yaml.

  1. Go to CloudFormation and click on Create stack; select With new resources(standard).

  2. Select Upload a template file, click Choose file, and select deploy_ngfw_cluster.yaml from the target folder.

  3. Click Next and provide the required information.

  4. Provide the following cluster and infrastructure configuration information.

    Parameter

    Allowed Values/Type

    Description

    Cluster Configuration

    ClusterGrpNamePrefix

    String

    This is the cluster name Prefix. The cluster number will be added as a suffix.

    ClusterNumber

    String

    This is the cluster number. This will be suffixed to the cluster name (msa-ftdv-infra). For example, if this value is 1, the group name will be msa-ftdv-infra-1.

    It should be at least 1 digit, but not more than 3 digits. Default: 1.

    ClusterSize

    Numbers

    This is the total number of Threat Defense Virtual nodes in a cluster.

    Minimum: 1

    Maximum:16

    Infrastructure Details

    NoOfAZs

    String

    This is the total number of availability zones into which Threat Defense Virtual is deployed. (The number of availability zones varies from a Minimum 1 to Maximum 3 depending on a region).

    The subnet will be created in these availability zones.

    The availability zones available in this list is based on the region selected for deploying the cluster.

    Note

    Management, Inside, and Cluster Control Link (CCL) subnets are created across three availability zones based on this parameters.

    AZ

    String

    The availability zone list is based on the region you plan to deploy.

    In Availability Zone list, select the valid availability zone (1 availability zone or 2 availability zones or 3 availability zones).

    Count should match with the value of Number of Availability Zones parameter.

    NotifyEmailID

    String

    Email address to which cluster events email will be sent. You must accept a subscription email request to receive this email notification.

    Example:admin@company.com

    VpcId

    String

    The VPC ID for the cluster group.

    Type: AWS::EC2::VPC::Id

    S3BktName

    String

    The S3 Bucket that contains the uploaded Lambda zip files. You must specify correct bucket name.

    MgmtSubnetIds

    List

    Enter only one subnet per availability zone.

    If you select multiple subnets from a same availability zone, then selecting an incorrect subnet may cause issues while deploying the Threat Defense Virtual instances.

    Type: List<AWS::EC2::Subnet::Id>

    InsideSubnetIds

    List

    Enter at least one subnet per availability zone.

    If multiple subnets from the same Availability Zone are selected, then selecting an incorrect subnet may cause issues while deploying the Threat Defense Virtual instances.

    Type: List<AWS::EC2::Subnet::Id>

    LambdaSubnets

    List

    Enter at least two subnet for the Lambda functions. The two subnets you enter must have a NAT gateway to enable the Lambda functions to communicate with AWS services, which are public DNS.

    Type: List<AWS::EC2::Subnet::Id>

    CCLSubnetIds

    String

    Enter at least one subnet per availability zone.

    If multiple subnets from the same Availability Zone are selected, then selecting an incorrect subnet may cause issues while deploying the Threat Defense Virtual instances.

    Type: List<AWS::EC2::Subnet::Id>

    CCLSubnetRanges

    String

    Enter IP addresses range of CCL subnets for different availability zones.

    Exclude first 4 reserved IP addresses. IP address pool for Cluster Control Link (CCL).

    IP address is allocated to the CCL interfaces of the Threat Defense Virtual instance from CCL IP address pool.

    MgmtInterfaceSG

    List

    Select security group ID for the Threat Defense Virtual instances.

    Type: List<AWS::EC2::SecurityGroup::Id>

    InsideInterfaceSG

    List

    Select security group ID for the inside interface of Threat Defense Virtual instances.

    Type: List<AWS::EC2::SecurityGroup::Id>

    LambdaSG

    List

    Select a security group for the Lambda functions.

    Ensure outbound connections is set to ANYWHERE.

    Type: List<AWS::EC2::SecurityGroup::Id>

    CCLInterfaceSG

    List

    Select a security group ID for CCL interface of the Threat Defense Virtual instances.

    GWLB Configuration

    DeployGWLBE

    String

    Click Yes to deploy the GWLB endpoint.

    By default, the value is set to No.

    VpcIdLBE

    String

    Enter VPC to deploy Gateway Load Balancer Endpoint.

    Note

    Do not enter any value in this field if you are not deploying the GWLB endpoint.

    GWLBESubnetId

    String

    Enter only one subnet ID.

    Note

    Do not enter any value in this field if you are not deploying the GWLB endpoint.

    Ensure that the subnet belongs to the correct VPC, and the availability zones that you have specified.

    TargetFailover

    String

    Enable Target Failover support when a target fails or deregisters. (By default, the value of this parameter is set to rebalance).

    • no_rebalance: Directs existing flows to failed targets and new flows to healthy targets, ensuring backward compatibility.

    • rebalance: Redistributes existing flows while ensuring that new flows go to healthy targets.

      rebalance is supported from Threat Defense Virtual Version 7.4.1 and later.

    TgHealthPort

    String

    Enter Health Check Port for GWLB.

    Note

    By default, this port must not be used for traffic.

    Ensure the value you provide is a valid TCP port. Default: 8080

    Cisco NGFWv Instance Configuration

    InstanceType

    String

    Cisco Threat Defense Virtual EC2 instance type.

    Ensure that the AWS Region supports Instance Type you select.

    By default, c5.xlarge is selected.

    LicenseType

    String

    Choose Cisco Threat Defense Virtual EC2 instance license type. Ensure that the AMI ID that you enter in AMI-ID parameter is of the same licensing type.

    By default, BYOL is selected.

    AssignPublicIP

    String

    Set the value as true to assign a public IP address for Threat Defense Virtual from the AWS IP address pool.

    AmiID

    String

    Choose the correct AMI ID as per the region, version, and license type (BYOL or PAYG).

    Threat Defense Virtual 7.2 and later support clustering, and Threat Defense Virtual Version 7.6 and later support the autoscaling and multiple availability zone enhancements.

    Type: AWS::EC2::Image::Id

    ngfwPassword

    String

    Threat Defense Virtual instance password.

    All Threat Defense Virtual instances come up with a default password, which is in the Userdata field of the Launch Template (Cluster Group).

    The password is activated after Threat Defense Virtual is accessible.

    Minimum length must be 8 characters. The password can either be a plain text password or a KMS encrypted password.

    KmsArn

    String

    Enter ARN of an existing KMS (AWS KMS key to encrypt at rest).

    If you specify a value in this field, then the Threat Defense Virtual instance's admin password must be an encrypted password.

    Example of generating an encrypted password: "aws kms encrypt --key-id <KMS ARN> --plaintext <password> "

    The password encryption must be done using only the specified ARN.

    FMC Automation Configuration

    fmcDeviceGrpName

    String

    Enter a unique name for the cluster group in management center.

    fmcPublishMetrics

    String

    Select true to create a Lambda Function to poll management center and publish specific device group metrics to AWS CloudWatch.

    Allowed values:

    • true

    • false

    By default, the value is set to true.

    fmcMetricsUsername

    String

    Enter a unique internal user name for polling memory metrics from management center.

    The user must have privileges of Network Admin and Maintenance User or more .

    fmcMetricsPassword

    String

    Enter the password.

    If you have mentioned KMS Master Key ARN parameter, ensure to provide an encrypted password.

    Ensure to enter the correct password because entering incorrect password may result in failure of metrics collection.

    fmcServer

    String

    The IP address can be an external IP address or the IP address reachable in Threat Defense Virtual management subnet in the VPC.

    Minimum length: 7

    Maximum length:15

    fmcOperationsUsername

    String

    Provide a unique internal user name for Management Center Virtual for CloudWatch.

    The user must have Administrator privileges.

    fmcOperationsPassword

    String

    Enter the password.

    If you have mentioned KMS Master Key ARN parameter, ensure to provide an encrypted password.

    Scaling Configuration

    CpuThresholds

    CommaDelimitedList

    (Optional) Specifying non-zero lower and upper thresholds will create scale policies. If (0,0) is selected, no CPU scaling alarm or policies will be created. Evaluation points and data points are at default or recommended values.

    By default, Autoscale is enabled in this template. Autoscale can be disabled after deployment.

    MemoryThresholds

    CommaDelimitedList

    Specifying non-zero lower and upper threshold will create scale policies. If (0,0) is selected, no memory scaling alarm or policies will be created. Evaluation points and data points are at default or recommended values.

  5. Click Next, then Create stack.

    The Lambda functions manage the rest of the process, and the threat defense virtuals will automatically register with the management center.

Deployed Resources

The status changes from CREATE_IN_PROGRESS to CREATE COMPLETE indicating successful deployment.

Step 5

Verify the cluster deployment by logging into any one of the nodes and using the show cluster info command.

Cluster Nodes
Cluster Nodes
show cluster info