In this Tutorial will be deployed Cisco Firepower Threat Defense Virtual Appliance in Testlab, running on ESXi Host. I will go step by step with both types of management – locally and remotely with FMC. These steps could also be used for production environment install.
Prerequisites:
- VMware ESXi host
- Cisco FTD – Firepower Threat Defense Image
- optional – running Cisco FMC – Firepower Management Center (for remote management option)
Network Diagram:
1. Download the Firepower Threat Defense Virtual
Download the Firepower Threat Defense Virtual image for VMware ESXi from Cisco.com, and save it to your local computer:
https://software.cisco.com/download/home/286306503/type/286306337/release/7.0.1
Note:
A Cisco.com login and Cisco service contract are required.
2. Create VMware Virtual Machine
2.1 In VMware ESXi Web interface select “Create/Register VM”.
2.2 Select “Deploy a virtual machine from an OVF or OVA file”. Select Next.
2.3 Enter name for the FTD Appliance “Cisco-ftd1”, Select or drag and drop the vmdk file and ESXi .ovf file. Select Next.
Note:
If you are deploying in vCenter use VI .ovf file.
2.4 Choose your Datastore. Select Next.
2.5 Configure your Network interface mappings and Deployment Type (according to your license / performance tier)
“Management0-0” – function Management (lab_mgmt1)
“Diagnostic” – function Diagnostic (lab_lan2)
“GigabitEthernet0-0” – function Outside Data (lab_wan1)
“GigabitEthernet0-1” – function Inside Data (lab_lan1)
“GigabitEthernet0-[2..7]” function Data traffic (optional)
more about Deployment options in Cisco Documentation – step 12
Deploy the Firepower Threat Defense Virtual to a vSphere ESXi Host
Select Deployment type: 4 Core / 8 GB
more about Deployment type in Cisco Documentation – “Table 2. Performance Tiers”:
Disk Provisioning: Thin
more about VMware ESXi disk provisioning
Select Next.
2.6 Review your configuration before finishing the wizard. Select Finish.
3. Complete the FTD setup using CLI
3.1 Open the VMware console and log in with default credentials: admin/Admin123, press Enter to display EULA. press Enter to accept EULA.
3.2 Enter new admin password.
3.3 Configure network
Do you want to configure IPv4: y
Do you want to configure IPv6: n
Configure IPv4 via DHCP or manually: manual
Enter IPv4 address for the management interface: 172.21.1.41
Enter IPv4 netmask for the management interface: 255.255.255.0
Enter the IPv4 default gateway for the management interface: 172.21.1.1
Enter a fully qualified hostname for this system: ftd1
Enter a fully comma-separated list of DNS servers or ‘none’: 172.21.1.1, 8.8.8.8
Manage the device localy? yes
Note:
for managing the device locally with Firepower Device Manager (included in FTD system) choose – yes
for managing remotely with Firepower Management Center (additional standalone product) choose – no and go directly to Step 6. – Remotely managed FTD with FMC
3.4 Initial configuration successfully performed.
4. Basic Firepower Device Manager configuration
4.1 Log in to FDM with your account.
4.2 Configure Outside Interface
Configure IPv4: Manually input
IPv4 Address: 172.16.1.41
Network Mask: 255.255.255.0
Gateway: 172.16.1.1
Select Next.
4.3 Configure Time Setting. Select Next.
4.4 Choose license model or continue with evaluation period. Choose Performance Tier. Select Finish.
more about FTD Performance Tiers.
4.5 Choose “Standalone Device” unless you want manage the device from cloud. Select Got it.
4.6 Select “View All Interfaces”
4.7 Select edit button on GigabitEthernet0/1 (inside interface)
4.8 Configure inside network interface.
IP Address: 10.0.1.1
Netmaks: 255.255.255.0
Disable DHCP Server (unless you want to use DHCP Service on the FTD), Select Delete.
Are you sure you want to delete this DHCP Server? Select Ok.
Acknowledge interface configuration, Select Ok.
5. Basic Policy configuration
5.1 Select “Policies” Tab – Access Control.
configure Policy according to your needs. (In this example Default Rule with Action “Allow”)
Note:
Trust – Allow traffic without further inspection of any kind.
Allow – Allow the traffic subject to the intrusion and other inspection settings in the policy.
Block – Drop the traffic unconditionally. The traffic is not inspected.
more about Configuring the Access Control Policy
5.2 Deploy pending changes. Select Deploy. Select Deploy now
At this point we have functional locally managed Cisco Firepower Threat Defense with basic configuration already processing the traffic and ready for advanced configuration in FDM – Firepower Device Manager.
Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager
6. Remotely managed FTD with FMC
6.1 Manage the device locally? (yes/no): no
6.2 Configure firewall mode. Enter routed.
6.3 Configure Registration Key for the FMC
configure manager add 172.21.1.40 MyRegistrationKey
6.4 Log in to your FMC and Select Devices – Device Management.
Note:
If you are using Evaluation License then in popup window select “Start 90-day evaluation period without registration.”
6.5 Select Add – Device.
6.6 Add the ftd1 device.
Host: 172.21.1.41
Display Name: ftd1
Registration Key: MyRegistrationKey
Group: None
Performance Tier: FTDv5 – Tiered (Core 4 / 8 GB)
Transfer Pakcets: Checked
Select under Access Control Policy – Create new policy
6.7 Create Policy
Name: ftd1_policy
Default Action: Block all traffic
Select Save. Select Register.
6.8 FTD Appliance “ftd1” is successfully registered to the FMC. Select ftd1 – Edit
more about Configure, Verify and Troubleshoot Firepower Device Registration
Note:
Red Exclamation mark will disappear once there is successful Threat Data Updates download from the Cisco Cloud
6.9 Configure ftd1 Interfaces
6.10 Select Policies – Access Control – edit Policy
FTD Appliance is successfully registered to FMC and we can start with the policy configuration.
more about Configure a Basic Security Policy