(Preview Only) Add a Gateway with an FTDv

Account - Expand the drop-down menu and select a cloud service provider account that is already onboarded to Multicloud Defense Controller. At this time, only AWS and Azure accounts are supported.

Gateway Type - Expand the drop-down menu and select "FTDv Gateway".

Name - Enter a name for the gateway as it will be displayed in the Multicloud Defense Controller.

(Optional) Description - Enter a description for the gateway. We recommend uing unique identifiers to differentiate this gateway from others that may have a similar name or purpose.

Instance Type - Choose the type of cloud service provider. This selection should match the cloud service provider that is selected in the before-mentioned "Account" field. Note that there may be multiple variations of instances depending on which cloud service provider you are using.

Minimum Instances - Select the minimum number of instances that you plan to deploy.

Maximum Instances - Select the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone.

HealthCheck Port - Default is 65534. The port number used by Multicloud Defense load balancer to check the health of the instances. Datapath security groups assigned to the instance(s) must allow traffic on this port.

Security - East-West/Egress is auto-selected. No other gateways support FTDv at this time.

FTD Version - Select the version of software to run on the FTDv device when Multicloud Defense creates and deploys the device.

Policy Ruleset - Select the access control policy ruleset to associate with this gateway. If you do not already have an access policy ready you can either use the default policy or create a new policy from this menu.

Admin Password - Enter a password for the admin of the FTDv device. Follow the on-sceen prompts for a strong password.

License Model - At this time only the BYOL method is supported. You must purchase a license or have an unused license purchased throguh your Cisco Smart Account.

(BYOL only) Performance Tier - Expand the drop-down menu and select the appropriate performance tier for your device. Note that FTDv50 is auto-selected.

• FTDv5: 100Mbps rate limit, 4 core/8 GB, 50 RA VPN session limit.

• FTDv10: 1Gbps rate limit, 4 core/8 GB, 250 RA VPN session limit.

• FTDv20: 3Gbps rate limit, 4 core/8 GB, 250 RA VPN session limit.

• FTDv30: 5Gbps rate limit, 8 core/16 GB, 250 RA VPN session limit.

• FTDv50: 10Gbps rate limit, 12 core/24 GB, 750 RA VPN session limit.

• FTDv: 16Gbps rate limit, 16 core/34 GB, 10,000 RA VPN session limit.

(BYOL only) License Types - Expand the drop-down menu and select the appropriate license type that you have purchased or will purchase in the future. Note that the Base license is auto-selected.

• Base License: Perpetual license that includes all features not covered by optional term licenses. It is automatically added to your account when you register.

• Threat License - Term-based license required to use policies such as Intrusion, File (with Malware license also required), and Security Intelligence.

• Malware License - Term-based license for File policies (with Threat license also required).

• URL License - Term-based license for URL policies, including category and reputation-based URL filtering or DNS lookup request filtering.

• RA VPN License - Available as AnyConnect Plus, AnyConnect Apex, or AnyConnect VPN Only, which can be term-based or perpetual based on the license type. It is used for remote access VPN configuration.

Region - Select the region this gateway will be deployed into.

VPC/VNet ID - Select the ID of the Service VPC or VNet to associate with the gateway. Identifying a Service VPC or VNet in this step confirms the management and datapath security groups as well as the availability zones. To modify these values, create a new service VPC and add it to this gateway.

(Azure only) Key Selection - Select the type of key, its size, and its activation and expiration dates. Choose either "SSH Public Key" or "SSH Key Pair". Based on your selection, enter the appropriate information in the text field when prompted.

(AWS only) Key Pair - Expand the drop-down menu and select the key pair that is associated with the cloud account you selected in the previous screen.

Resource Groups - Select the resource group to associate the gateway with.

(Azure only) User Assigned Identity ID - Enter the cloud service provider identity to associate with this gateway. User-assigned managed identities can be used in place of credentials for resources. User-assigned managed identities can be used in place of credentials for resources for Azure services such as a private key stored in Azure Key Vault or to write PCAP files to an Azure Blob Storage.

(AWS only) Gateway IAM Role - Expand the drop-down menu and select the IAM role that allows the gateway to perform READ and WRITE operations on your AWS account.

(AWS only) EBS Encryption - Expand the drop-down menu and select the appropriate EBS encryption for your specific AWS account.

(Azure only) Disk Encryption - Select the appropriate option from the drop-down menu. For customer managed encryption key, the user will need to input the resource ID of the encryption key.