(Preview Only) Secure Firewall Threat Defense

Overview

Deploying a gateway directly to a Secure Firewall Threat Defense virtual (FTDv) device can offer several advantages, especially in network security and management. Utilizing this functionality with FTDv lets you take advantage of advanced security features that may not be present in standard ISP gateways. By deploying a gateway directly to an FTDv device, you can take advantage of these security features to protect your network.

Because this is a multi-product task you must navigate between both Multicloud Defense and Cloud-delivered Firewall Management Center to complete the steps. Multicloud Defense deploys and registers the FTDv device including interfaces, gateway configuration, NAT rules, platform settings, whereas you edit your access policy, rules, and objects in your Cloud-delivered Firewall Management Center account.

Follow this set of procedures to successfully create and register a Multicloud Defense Gateway to your FTDv device:

  1. Enable Cloud-delivered Firewall Management Center on Your Security Cloud Control Tenant.

  2. Onboard a CSP.

  3. Create a Service VPC.

  4. Create a Multicloud Defense Gateway.

  5. Configure your access policy Cloud-delivered Firewall Management Center.

Limitations

Read through the following general limitations that apply when you create a gateway for an FTDv device that is manage by Cloud-delivered Firewall Management Center:

  • You must confirm you have an active Cloud-delivered Firewall Management Center account.

  • You cannot create a gateway for clustered FTDv devices.

  • You cannot use the FTDv that is created in this scenario as an endpoint in site-to-site VPN.

  • Only East-West/Egress gateway types are supported.

  • You must create a new Service VPC. VPCs created before this feature do not support this functionality; note that when you create a new VPC it can still be used for both Multicloud Defense gateways or FTDv gateways.

  • You must use a license purchased through the Cisco Smart Account.

  • Gateway updates must be done through the Multicloud Defense dashboard.

  • FTDv version updates must be done through the Multicloud Defense dashboard.

  • Access control policy modifications must be done through the Cloud-delivered Firewall Management Center dashboard.

  • At this time, ony AWS and Azure cloud service providers support gateway affiliated with FTDv devices.

    Important

    If you have an existing AWS or Azure cloud service provider, or a new AWS cloud service provider account, you must manually accept the Marketplace Terms or Terms of Use.

When you create and apply a gateway to your FTDv environment, note that the Multicloud Defense automatically creates a subnet and a corresponding security group for the secondary interface, which is required.

Licensing

The Multicloud Defense Gateway supports both Multicloud Defense licensing and Smart Licensing.

Multicloud Defense licensing is subscription-based access to software delivered via the cloud, emphasizing ease of access, scalability, and regular updates. Multicloud Defense licensing licensing is typically subscription-based with a recurring fee that often includes maintenance, updates, and support as part of the package. Most Multicloud Defense licensing models offer scalability, enabling your organization to easily adjust the number of users or features based on current needs. Because this licensing model is based in the cloud you can expect immediate access to the latest features and updates. See Cisco Security Analytics and Logging Ordering Guide for more information.

Smart Licensing is more suited for utilizing existing licenses for cost savings in specific deployment scenarios. Opting for a smart license allows your organization to use pre-purchased licenses with their cloud or hybrid deployments, leveraging licenses that are already owned by the organization to be more cost effective. There is an added bonus that smart license is often used for specific deployment types, such as cloud or hybrid scenarios, where organizations migrate existing workloads without acquiring new licenses.

When creating your gateway for your FTDv you have the opportunity to select one of these two options depending on your resources.

Important

Once you deploy a gateway with an FTDv device, you cannot cannot change the licensing model. You can change the peformance tier of the licensing model you selected.

Auto-Scaling

Auto-scaling helps ensure that applications have the necessary resources to maintain performance while optimizing cost efficiency. While Multicloud Defense does this automatically, know that the benefits of auto-scaling your gateway an instances can include cost efficiency, optimized perfomance, and flexibility within your environment.

Note that auto-scaling in FTDv gateways is not the same as auto-scaling in Multicloud Defense Gateway. See Gateway Auto-scaling for more information on native auto-scaling abilities. For how auto-scaling impacts FTDv gateways and how it have elevate your experience, read the following:

  • Monitored Metrics - To ensure auto-scaling is performed appropriately and timely for your secific environmen, the metrics of system memory, Snort CPU and ASA software CPU are monitored.

  • Scale up and Scale Out - If any of the metrics register above or below the allowed thresholds, the environment scales up or out to accommodate the load or resources associated with the instances to handl traffic spikes or drops. This triggered event is per availability zone, not the designated region.

  • Security in Perfomance - This aspect adds additional resources to handle the increased demand without compromising security measures to maintain the integrity and responsiveness of the firewall.

  • Adaptability - In environments where network traffic is unpredictable, auto-scaling provides the flexibility to adapt quickly without manual intervention and minimizes downtime and service interruptions.