Posts
This article is for them who need a Cisco Firewall in their Hyper-V infrastructure, that can be managed without the ASDM/Java nightmare and offers Next Generation capabilities for modern day threats. During the years, Cisco virtual platforms have always been VMWare oriented, providing a challenge for companies that already have a Hyper-V infrastructure on their premises. One of these platforms is Firepower Threat Defense Virtual (FTDv), which only recently became supported in Azure (version 6.4.0) and is still unsupported in Hyper-V environments. From version 6.5.0 the integrated Firepower Device Manager has been added, which allows for local management of the firewall, without need for FMC. This article explains how to implement FTDv in Hyper-V by using the VHD file provided for Azure.
For this task you need:
- VHD Azure image from the Cisco Support portal or your Cisco Partner
- 50GB of free space
- 4vCPU
- 8GB of free Memory
The VM
After downloading the image from Cisco Support, as first step you need to decompress it as it comes in a bzip2 format. You can use Winzip,7zip, the official bzip2 for decompression. Make a folder in your storage, where you want to store the VM and put the VHD file inside that folder.
In order to deploy the VM, we are going to use some PowerShell cmdlet, but you can also follow the normal Wizard from Hyper-V Manager, if you feel more familiar with it. We need to fill in some info before pushing the configuration, which includes the name for the VM, the place where we want it to be stored (-Path), the Generation, and the memory size (-MemoryStartupBytes).
Then we increase the CPU count on the VM
The Azure VHD image comes with 4 NIC's, respectively Management, Diagnostic 0/0, GE0/0 and GE0/1. Where GE0/0 is the outside port and GE0/1 the inside one in the default configuration. To match this configuration, we rename the network card created together with the VM and add a few more.
As last step we need to attach the VHD to the newly created VM
Depending on your environment, you need to attach the NIC's to the respective virtual switch and tag any necessary VLAN's for management, inside subnet and outside.
FTDv Deployment (Fun Part)
The Hyper-V part is now completed, so we fire on the VM and proceed following the console for the installation. Don't get confused by the ASA boot image name. Even though it's probably an ASA on the backend, it's using the FTD image, so you will get a different CLI and FDM instead of ASDM, which is a big improvement.
You might want to have a cup of coffee after this step, as the process takes some time. Especially the database configuration can easily take 30 minutes or more.
When the process is finally done, you will be presented with the login prompt. The credentials for the first login are admin/Admin123. After login, you are required to change your password, setup the IPv4/IPv6 address for the firewall and select if you are going to use a local manager or remote one.
As next step we need to login to the management interface from a web browser. After login, you are presented with the Device Setup Wizard. This helps in setting up the outside IP address, Time Settings and License registration. If you don't have a license at this point, you can use the evaluation period, which is valid for 90 days.
If you would like to test all features, you need to open a case with Cisco Global Licensing and ask for a trial license. Your Cisco Partner can help you with this process. If you work for a Cisco Partner, you can send an e-mail to licensing@cisco.com with the following info:
- Product type is [FTD]oSensor type is [Sensor Model]
- Partner Smart Account Domain ID [Domain]
- Partner Smart Account Name [ Account Name]
- Partner Smart Virtual Account Name [ Smart Acc Name]
- Expected Start Date is [ Date ]
This should be the last step, before you are presented with a fully working firewall. To keep the article short I haven't included screenshots for every step, but feel free to PM me if something is not working for you, or you need further details.
Considering that running FTDv on Hyper-V is not officially supported, you might have problems with receiving support related to the virtualization platform. However, I have tested different features, NAT, RAVPN, S2SVPN, as well as the security blades and all work smoothly. Remember that Cisco's support is always customer oriented.
References:
.jpg)
