Secure Firewall Threat Defense Virtual

Overview

Deploying Secure Firewall Threat Defense virtual (FTDv) gateway can offer several advantages, especially in network security and management. Utilizing this functionality with FTDv lets you take advantage of advanced security features that may not be present in standard ISP gateways. By deploying an FTDv gateway you can take advantage of these security features to protect your network.

Because this is a multi-product task you must navigate between both Multicloud Defense and Cloud-delivered Firewall Management Center to complete the steps. Multicloud Defense deploys and registers the FTDv device including interfaces, gateway configuration, NAT rules, platform settings, whereas you edit your access policy, rules, and objects in your Cloud-delivered Firewall Management Center account.

Guidelines

Here are some of the guidelines to follow when you create an FTDv that is managed by Cloud-delivered Firewall Management Center:

  • When you create and apply a gateway to your FTDv environment, note that Multicloud Defense automatically creates a subnet and a corresponding security group for the secondary interface, which is required.

  • Avoid deploying the maximum number of FTDv gateways allowed by the Cloud-delivered Firewall Management Center tier within a tenant. During upgrades, additional capacity is temporarily required to bring up new instances before the older instances can be decommissioned.

  • In Azure, for debugging, if you want to log in to an FTDv instance via SSH, use the username "centos" along with the SSH key provisioned during the gateway deployment.

    Alternatively you can use Azure CLI to log in to FTDv using "admin" username and the password provided during gateway deployment.

  • In AWS, for East-West traffic inspection, the security zone to be used in Access Policy is "VNI" zone. This is U-turn traffic, hence the source and the destination security zone will be the same.

    In AWS, for egress traffic source, the source security zone to be used is "VNI" zone and destination to be used is "Outside" security zone.

  • In Azure, for East-West traffic inspection, the security zone to be used in Access Policy is "Inside" zone. This is U-turn traffic, hence the source and the destination security zone will be the same.

    In Azure, for egress traffic, the source security zone will be "Inside" zone and the destination will be "Outside" security zone.

Follow this set of procedures to successfully create and deploy the FTDv gateway:

  1. Enable Cloud-delivered Firewall Management Center on Your Security Cloud Control Tenant.

  2. Onboard a CSP.

  3. Create a Service VPC.

  4. Create an FTDv Gateway.

  5. Configure your access policy Cloud-delivered Firewall Management Center.

Limitations

Read through the following general limitations that apply when you create an FTDv gateway that is managed by Cloud-delivered Firewall Management Center:

  • You must confirm you have an active Cloud-delivered Firewall Management Center account.

  • You cannot create a gateway if your FTDv device is clustered.

  • You cannot use the FTDv gateway as an endpoint in site-to-site VPN or RA VPN.

  • Only East-West/Egress gateway types are supported.

  • You must create a new Service VPC. VPCs created before this feature was introduced do not support this functionality; note that when you create a new VPC it can still be used for both Multicloud Defense gateways or FTDv gateways.

  • If you intend to use a smart license then you must purchase a license through your Cisco seller or partner.

  • Gateway software updates must be done through the Multicloud Defense dashboard.

  • FTDv version updates and configuration changes made to the FTDv gateway must be done through the Multicloud Defense dashboard. This includes moving the FTDv device to or out of a device group, changing the policy attached to the FTDv device or device group, and other tasks that directly impact the status of the FTDv.

  • Access control policy modifications must be done through the Cloud-delivered Firewall Management Center dashboard. This implies changes to the policy itself and not how the policy is affiliated with the FTDv.

  • At this time, Jumbo frames are not supported.

  • At this time, only AWS and Azure cloud service providers support gateways affiliated with FTDv gateways.

    Important

    If you have an existing AWS or Azure cloud service provider, or a new AWS cloud service provider account, you must manually accept the Marketplace Terms or Terms of Use.

Licensing

The Multicloud Defense Gateway supports both Multicloud Defense licensing and Smart Licensing.

Multicloud Defense licensing is subscription-based access to software delivered via the cloud, emphasizing ease of access, scalability, and regular updates. Multicloud Defense licensing is typically subscription-based with a recurring fee that often includes maintenance, updates, and support as part of the package. Most Multicloud Defense licensing models offer scalability, enabling your organization to easily adjust the number of users or features based on current needs. Because this licensing model is based in the cloud you can expect immediate access to the latest features and updates. See Cisco Security Analytics and Logging Ordering Guide for more information.

Smart Licensing is more suited for utilizing existing licenses for cost savings in specific deployment scenarios. Opting for a smart license allows your organization to use pre-purchased licenses with their cloud or hybrid deployments, leveraging licenses that are already owned by the organization to be more cost effective. There is an added bonus that smart license is often used for specific deployment types, such as cloud or hybrid scenarios, where organizations migrate existing workloads without acquiring new licenses.

When creating your gateway for your FTDv you have the opportunity to select one of these two options, depending on your resources.

Important

Once you deploy a gateway with an FTDv device, you cannot cannot change the licensing model. You can change the performance tier of the licensing model you selected.

There are different tiers of licensing, as follows:

  • Base licensing - This is the standard foundational license that enables basic firewall and networking functionality, such as stateful firewalling, routing and NAT features.

  • Threat Licensing (Threat Protection) - Provides access to Intrusion Prevention System (IPS) features, enabling threat detection and prevention. It also includes signature-based detection for known vulnerabilities and threats.

  • Malware Licensing (Malware Defense) - Enables advanced malware protection through Cisco Advanced Malware Protection (AMP) and includes file trajectory, sandboxing, and retrospective malware detection capabilities.

  • URL Filtering Licensing - Allows URL filtering to control and monitor web traffic and provides access to Cisco’s global threat intelligence for web categorization.

To accompany these license types there is capacity-based licensing intended to align performance and throughput that can potentially assist in cost optimization and scalability:

  • FTDv5: Up to 100 Mbps. This is only supported in Azure.

  • FTDv10: Up to 1 Gbps. This is only supported in Azure.

  • FTDv20: Up to 3 Gbps

  • FTDv30: Up to 5 Gbps

  • FTDv50: Up to 10 Gbps

  • FTDv100: Up to 16 Gbps

Auto-Scaling

Auto-scaling helps ensure that applications have the necessary resources to maintain performance while optimizing cost efficiency. While Multicloud Defense does this automatically, know that the benefits of auto-scaling your gateway instances can include cost efficiency, optimized performance, and flexibility within your environment.

Note that auto-scaling in FTDv gateways is not the same as auto-scaling in Multicloud Defense Gateway. See Gateway Auto-scaling for more information on native auto-scaling abilities. For how auto-scaling impacts FTDv gateways and how it can elevate your experience, read the following:

  • Monitored Metrics - To ensure auto-scaling is performed appropriately and timely for your specific environment, the metrics of system memory, Snort CPU and data plane are monitored.

  • Scale Out - If any of the metrics register above the allowed thresholds, the environment scales up or out to accommodate the load or resources associated with the instances to handle traffic spikes. This triggered event is per availability zone, not the designated region.

    Note

    Scaling out your environment adds additional time to the deployment action.

  • Scale In - If any of the metrics register below the allowed thresholds, the environment scales down or in to accommodate the load or resources associated with the instances to handle traffic drops. This triggered event is per availability zone, not the designated region.