Cisco Firepower Threat Defense Virtual Install – How to Tutorial

In this Tutorial will be deployed Cisco Firepower Threat Defense Virtual Appliance in Testlab, running on ESXi Host. I will go step by step with both types of management – locally and remotely with FMC. These steps could also be used for production environment install.



Network Diagram:

1. Download the Firepower Threat Defense Virtual


Download the Firepower Threat Defense Virtual image for VMware ESXi from, and save it to your local computer:



A login and Cisco service contract are required.

2. Create VMware Virtual Machine

The FTDv supports performance-tiered licensing that provides different throughput levels and VPN connection limits based on deployment requirements.
Minimal Hardware Requirements for FTD Virtual Appliance:
Performance Tier: FTDv5, 100Mbps
CPU Cores: 4
Memory: 8 GB RAM
Storage: Thin Provision 48.24 GB
For the Testlab purposes will be used the minimal configuration. This configuration is not necessary to prepare in advance for the VM, because we will be deploying this virtual machine from ovf file which includes deployment template.

2.1 In VMware ESXi Web interface select “Create/Register VM”.

2.2 Select “Deploy a virtual machine from an OVF or OVA file”. Select Next.

2.3 Enter name for the FTD Appliance “Cisco-ftd1”, Select or drag and drop the vmdk file and ESXi .ovf file. Select Next.



If you are deploying in vCenter use VI .ovf file.

2.4 Choose your Datastore. Select Next.

2.5 Configure your Network interface mappings and Deployment Type (according to your license / performance tier)


“Management0-0” – function Management (lab_mgmt1)

“Diagnostic” – function Diagnostic (lab_lan2)

“GigabitEthernet0-0” – function Outside Data (lab_wan1)

“GigabitEthernet0-1” – function Inside Data (lab_lan1)

“GigabitEthernet0-[2..7]” function Data traffic (optional)


more about Deployment options in Cisco Documentation – step 12

Deploy the Firepower Threat Defense Virtual to a vSphere ESXi Host


Select Deployment type: 4 Core / 8 GB

more about Deployment type in Cisco Documentation – “Table 2. Performance Tiers”:

System Requirements


Disk Provisioning: Thin

more about VMware ESXi disk provisioning


Select Next.

2.6 Review your configuration before finishing the wizard. Select Finish.

3. Complete the FTD setup using CLI

3.1 Open the VMware console and log in with default credentials: admin/Admin123, press Enter to display EULA. press Enter to accept EULA.

3.2 Enter new admin password.

3.3 Configure network


Do you want to configure IPv4: y

Do you want to configure IPv6: n

Configure IPv4 via DHCP or manually: manual

Enter IPv4 address for the management interface:

Enter IPv4 netmask for the management interface:

Enter the IPv4 default gateway for the management interface:

Enter a fully qualified hostname for this system: ftd1

Enter a fully comma-separated list of DNS servers or ‘none’:,

Manage the device localy? yes



for managing the device locally with Firepower Device Manager (included in FTD system) choose  – yes

for managing remotely with Firepower Management Center (additional standalone product) choose – no and go directly to Step 6. – Remotely managed FTD with FMC

3.4 Initial configuration successfully performed.

4. Basic Firepower Device Manager configuration

4.1 Log in to FDM with your account.

4.2 Configure Outside Interface


Configure IPv4: Manually input

IPv4 Address:

Network Mask:



Select Next.

4.3 Configure Time Setting. Select Next.

4.4 Choose license model or continue with evaluation period. Choose Performance Tier. Select Finish.


more about FTD Performance Tiers.

4.5 Choose “Standalone Device” unless you want manage the device from cloud. Select Got it. 

4.6 Select “View All Interfaces”

4.7 Select edit button on GigabitEthernet0/1 (inside interface)

4.8 Configure inside network interface.


IP Address:



Disable DHCP Server (unless you want to use DHCP Service on the FTD), Select Delete.

Are you sure you want to delete this DHCP Server? Select Ok.

Acknowledge interface configuration, Select Ok.

5. Basic Policy configuration

5.1 Select “Policies” Tab – Access Control.


configure Policy according to your needs. (In this example Default Rule with Action “Allow”)



Trust – Allow traffic without further inspection of any kind.

Allow – Allow the traffic subject to the intrusion and other inspection settings in the policy.

Block – Drop the traffic unconditionally. The traffic is not inspected.


more about Configuring the Access Control Policy

5.2 Deploy pending changes. Select Deploy. Select Deploy now

At this point we have functional locally managed Cisco Firepower Threat Defense with basic configuration already processing the traffic and ready for advanced configuration in FDM – Firepower Device Manager.


Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager

6. Remotely managed FTD with FMC

If you chose in Step 3.3 “Manage the device locally? (yes/no):” no then continue with this chapter to register FTD Appliance with FMC Appliance.

6.1 Manage the device locally? (yes/no): no

6.2 Configure firewall mode. Enter routed.

6.3 Configure Registration Key for the FMC


configure manager add MyRegistrationKey

6.4 Log in to your FMC and Select Devices – Device Management.



If you are using Evaluation License then in popup window select “Start 90-day evaluation period without registration.”

6.5 Select Add – Device.

6.6 Add the ftd1 device.



Display Name: ftd1

Registration Key: MyRegistrationKey

Group: None

Performance Tier: FTDv5 – Tiered (Core 4 / 8 GB)

Transfer Pakcets: Checked


Select under Access Control Policy – Create new policy

6.7 Create Policy


Name: ftd1_policy

Default Action: Block all traffic


Select Save. Select Register.

6.8 FTD Appliance “ftd1” is successfully registered to the FMC. Select ftd1 – Edit


more about Configure, Verify and Troubleshoot Firepower Device Registration



Red Exclamation mark will disappear once there is successful Threat Data Updates download from the Cisco Cloud 

6.9 Configure ftd1 Interfaces

6.10 Select Policies – Access Control – edit Policy

FTD Appliance is successfully registered to FMC and we can start with the policy configuration.


more about Configure a Basic Security Policy