Tuesday, August 4, 2020

FTDv with FDM on Hyper-V

  August 04, 2020    
This article is for them who need a Cisco Firewall in their Hyper-V infrastructure, that can be managed without the ASDM/Java nightmare and offers Next Generation capabilities for modern day threats. During the years, Cisco virtual platforms have always been VMWare oriented, providing a challenge for companies that already have a Hyper-V infrastructure on their premises. One of these platforms is Firepower Threat Defense Virtual (FTDv), which only recently became supported in Azure (version 6.4.0) and is still unsupported in Hyper-V environments. From version 6.5.0 the integrated Firepower Device Manager has been added, which allows for local management of the firewall, without need for FMC. This article explains how to implement FTDv in Hyper-V by using the VHD file provided for Azure.



For this task you need:

  1. VHD Azure image from the Cisco Support portal or your Cisco Partner
  2. 50GB of free space
  3. 4vCPU
  4. 8GB of free Memory

The VM

After downloading the image from Cisco Support, as first step you need to decompress it as it comes in a bzip2 format. You can use Winzip,7zip, the official bzip2 for decompression. Make a folder in your storage, where you want to store the VM and put the VHD file inside that folder.

In order to deploy the VM, we are going to use some PowerShell cmdlet, but you can also follow the normal Wizard from Hyper-V Manager, if you feel more familiar with it. We need to fill in some info before pushing the configuration, which includes the name for the VM, the place where we want it to be stored (-Path), the Generation, and the memory size (-MemoryStartupBytes).


Then we increase the CPU count on the VM


The Azure VHD image comes with 4 NIC's, respectively Management, Diagnostic 0/0, GE0/0 and GE0/1. Where GE0/0 is the outside port and GE0/1 the inside one in the default configuration. To match this configuration, we rename the network card created together with the VM and add a few more.


As last step we need to attach the VHD to the newly created VM


Depending on your environment, you need to attach the NIC's to the respective virtual switch and tag any necessary VLAN's for management, inside subnet and outside.


FTDv Deployment (Fun Part)

The Hyper-V part is now completed, so we fire on the VM and proceed following the console for the installation. Don't get confused by the ASA boot image name. Even though it's probably an ASA on the backend, it's using the FTD image, so you will get a different CLI and FDM instead of ASDM, which is a big improvement.


You might want to have a cup of coffee after this step, as the process takes some time. Especially the database configuration can easily take 30 minutes or more.



When the process is finally done, you will be presented with the login prompt. The credentials for the first login are admin/Admin123. After login, you are required to change your password, setup the IPv4/IPv6 address for the firewall and select if you are going to use a local manager or remote one.



In our case we are interested in FDM, the built in management web interface, so we will choose local management.


As next step we need to login to the management interface from a web browser. After login, you are presented with the Device Setup Wizard. This helps in setting up the outside IP address, Time Settings and License registration. If you don't have a license at this point, you can use the evaluation period, which is valid for 90 days.



If you would like to test all features, you need to open a case with Cisco Global Licensing and ask for a trial license. Your Cisco Partner can help you with this process. If you work for a Cisco Partner, you can send an e-mail to licensing@cisco.com with the following info:

- Product type is [FTD]oSensor type is [Sensor Model]

 - Partner Smart Account Domain ID [Domain] 

 - Partner Smart Account Name [ Account Name] 

 - Partner Smart Virtual Account Name [ Smart Acc Name]

 - Expected Start Date is [ Date ]

This should be the last step, before you are presented with a fully working firewall. To keep the article short I haven't included screenshots for every step, but feel free to PM me if something is not working for you, or you need further details.

Considering that running FTDv on Hyper-V is not officially supported, you might have problems with receiving support related to the virtualization platform. However, I have tested different features, NAT, RAVPN, S2SVPN, as well as the security blades and all work smoothly. Remember that Cisco's support is always customer oriented.

References:

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/azure/ftdv-azure-gsg/ftdv-azure-intro.html

https://docs.microsoft.com/en-us/powershell/scripting/developer/cmdlet/cmdlet-overview?view=powershell-7
Read More

Monday, September 23, 2019

CMNA Certified!

  September 23, 2019    



Last week I had the great opportunity of joining the CMNA training in Copenhagen, in what I would say was a hands-on conference. The certification process was quite straight forward and didn't require any advanced networking skills. However, coming from traditional Cisco certifications, I was surprised by the certification technique chosen by Meraki. While most certification exams focus on testing your knowledge and skills in specific topics, Meraki pushed us through a learning process. We had to go through all the Meraki product portfolio in the presentations section, as well as the implementation of technologies like QoS, SD-WAN, Wireless, Layer 7 firewall, motion detection etc. in the lab section.

Whenever you join conferences or trainings, it's important to understand what you take with you at the end of the day. My thoughts about Meraki and the hands-on conference are:

- Simplicity is the key in all Meraki solutions. You can take a bunch of sales, tech nerds and students in a room and make them deploy a multi-branch environment good enough for most companies in DK.  

- What's simple, doesn't have to be limited. Meraki has always embeded technologies only after introducing the highest level of abstraction, as close to the human nature as possible. Despite our mixed technical skills, or lack of them, we were all able to implement a broad range of technologies, which would require days to understand and implement in the old traditional Cisco enviroment. 

- A conference doesn't have to be boring and a training/certification doesn't have to be complicated. If the best of both worlds is mixed: well-prepared presentation sessions and simplified lab experiences, the process itself will provide the best experience for the participants, and the most productive results for the presenting company.


Read More