(Preview Only) Secure Firewall Threat Defense

Overview

Deploying Secure Firewall Threat Defense virtual (FTDv) gateway can offer several advantages, especially in network security and management. Utilizing this functionality with FTDv lets you take advantage of advanced security features that may not be present in standard ISP gateways. By deploying an FTDv gateway you can take advantage of these security features to protect your network.

Because this is a multi-product task you must navigate between both Multicloud Defense and Cloud-delivered Firewall Management Center to complete the steps. Multicloud Defense deploys and registers the FTDv device including interfaces, gateway configuration, NAT rules, platform settings, whereas you edit your access policy, rules, and objects in your Cloud-delivered Firewall Management Center account.

Follow this set of procedures to successfully create and deploy the FTDv gateway:

  1. Enable Cloud-delivered Firewall Management Center on Your Security Cloud Control Tenant.

  2. Onboard a CSP.

  3. Create a Service VPC.

  4. Create an FTDv Gateway.

  5. Configure your access policy Cloud-delivered Firewall Management Center.

Limitations

Read through the following general limitations that apply when you create an FTDv gateway that is manage by Cloud-delivered Firewall Management Center:

  • You must confirm you have an active Cloud-delivered Firewall Management Center account.

  • You cannot create a gateway if you FTDv device is clustered.

  • You cannot use the FTDv gateway as an endpoint in site-to-site VPN.

  • Only East-West/Egress gateway types are supported.

  • You must create a new Service VPC. VPCs created before this feature do not support this functionality; note that when you create a new VPC it can still be used for both Multicloud Defense gateways or FTDv gateways.

  • If you intend to use a smart license then you must purchase a license through the Cisco Smart Account.

  • Gateway updates must be done through the Multicloud Defense dashboard.

  • FTDv version updates and actions made to the FTDv gateway must be done through the Multicloud Defense dashboard. This incudes moving the FTDv device to or out of a device group, changing the policy attached to the FTDv device or device group, and other tasks that direcyly impact the status of the FTDv.

  • Access control policy modifications must be done through the Cloud-delivered Firewall Management Center dashboard. This implies changes to the policy itself and not how the policy is affiliated with the FTDv.

  • At this time, ony AWS and Azure cloud service providers support gateway affiliated with FTDv gateways.

    Important

    If you have an existing AWS or Azure cloud service provider, or a new AWS cloud service provider account, you must manually accept the Marketplace Terms or Terms of Use.

When you create and apply a gateway to your FTDv environment, note that the Multicloud Defense automatically creates a subnet and a corresponding security group for the secondary interface, which is required.

Licensing

The Multicloud Defense Gateway supports both Multicloud Defense licensing and Smart Licensing.

Multicloud Defense licensing is subscription-based access to software delivered via the cloud, emphasizing ease of access, scalability, and regular updates. Multicloud Defense licensing licensing is typically subscription-based with a recurring fee that often includes maintenance, updates, and support as part of the package. Most Multicloud Defense licensing models offer scalability, enabling your organization to easily adjust the number of users or features based on current needs. Because this licensing model is based in the cloud you can expect immediate access to the latest features and updates. See Cisco Security Analytics and Logging Ordering Guide for more information.

Smart Licensing is more suited for utilizing existing licenses for cost savings in specific deployment scenarios. Opting for a smart license allows your organization to use pre-purchased licenses with their cloud or hybrid deployments, leveraging licenses that are already owned by the organization to be more cost effective. There is an added bonus that smart license is often used for specific deployment types, such as cloud or hybrid scenarios, where organizations migrate existing workloads without acquiring new licenses.

When creating your gateway for your FTDv you have the opportunity to select one of these two options depending on your resources.

Important

Once you deploy a gateway with an FTDv device, you cannot cannot change the licensing model. You can change the peformance tier of the licensing model you selected.

Auto-Scaling

Auto-scaling helps ensure that applications have the necessary resources to maintain performance while optimizing cost efficiency. While Multicloud Defense does this automatically, know that the benefits of auto-scaling your gateway an instances can include cost efficiency, optimized perfomance, and flexibility within your environment.

Note that auto-scaling in FTDv gateways is not the same as auto-scaling in Multicloud Defense Gateway. See Gateway Auto-scaling for more information on native auto-scaling abilities. For how auto-scaling impacts FTDv gateways and how it have elevate your experience, read the following:

  • Monitored Metrics - To ensure auto-scaling is performed appropriately and timely for your secific environmen, the metrics of system memory, Snort CPU and ASA software CPU are monitored.

  • Scale Out - If any of the metrics register above or below the allowed thresholds, the environment scales up or out to accommodate the load or resources associated with the instances to handl traffic spikes or drops. This triggered event is per availability zone, not the designated region.

    Note

    Scaling out your environment adds additional time to the deployment action.