Cisco Secure Firewall Threat Defense Virtual (formerly FTDv/NGFWv)

TDv Autoscaling

This Repository provides resources to bring up TDv (Threat Defence Virtual) Auto Scale solution.

Some of the key features of the TDv Auto Scale include:

  • Complete serverless implementation!
  • Completely automated TDv instance registration and de-registration with FMC.
  • NAT policy, Access Policy, IP and Routes are automatically applied to scaled-out TDv instance.
  • Support for Enabling / Disabling Auto Scaling feature.

Threat Defense Virtual Cluster

  • Clustering lets you group multiple threat defense units together as a single logical device.
  • A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.

AWS GuardDuty Integration with Cisco Secure Firewall

This solution make use of the threat analysis data/results from Amazon GuardDuty (malicious IPs generating threats, attacks etc.) and feeds that information(malicious IP) to the Cisco Secure Firewall Threat Defense Virtual via the managers: Cisco Secure Firewall Management Center Virtual , Cisco Secure Firewall Device Manager to protect the underlying network and applications against future threats originating from these sources(malicious IP).

Cloud Deployment Templates

This provides set of templates for deployment of NGFWv in public clouds.

Azure Templates

Azure Resource Manager(ARM) templates to deploy Cisco's NGFWv/FTDv and FMCv in Azure public cloud using custom image.

Azure Resource Manager Templates

Azure Resource Manager templates are JSON files that contain resource descriptions and parameter definitions.

  • Template file: This is the main resources file that deploys all the components within the resource group.
  • Parameter file: This file includes the parameters required to successfully deploy the FTDv.

Openstack Templates

This conatains heat template files to deploy the Secure Firewall Threat Defense Virtual (TDv) and Secure Firewall Management Center Virtual (MCv) on OpenStack environment.

Resources

FTDv Autoscale

Threat Defense Virtual Cluster

Cloud Service Integration

Deployment Template

Archived

Use Case

Auto Scale Solution for FTDv on AWS

Cisco provides CloudFormation Templates and scripts for deploying an auto-scaling group of FTDv firewalls using several AWS services, including Lambda, auto scaling groups, Elastic Load Balancing (ELB), Amazon S3 Buckets, SNS, and CloudWatch. FTDv Auto Scale in AWS is a complete serverless implementation (i.e. no helper VMs involved in the automation of this feature) that adds horizontal auto scaling capability to FTDv instances in the AWS environment.

The FTDv Auto Scale solution is a CloudFormation template-based deployment that provides:

  • Completely automated FTDv instance registration and de-registration with the FMC
  • NAT policy, Access Policy, and Routes automatically applied to scaled-out FTDv instances
  • Support for Load Balancers and multi-availability zones.

Auto Scale Use Case

The Use Case for this FTDv AWS Auto Scale Solution is shown in Figure, Because the AWS Load Balancer allows only Inbound-initiated connections, only externally generated traffic is allowed to pass inside via the Cisco FTDv firewall.

Autoscale Use Case Diagram

The Internet-facing Load Balancer will have a DNS name, and 0 to 4 ports can be kept open. Of those ports, 0 to 2 can be unsecured ports such as HTTP/80, and 0 to 2 can be secured ports such as HTTPS/443.

Note: Secured ports need an SSL/TLS certificate, as described SSL Server Certificate, on page 7 in the Prerequisites.

The Internet-facing load balancer can be a Network Load Balancer or an Application Load Balancer. All of the AWS requirements and conditions hold true for either case. As indicated in the Use Case diagram, the right side of the dotted line is deployed via the FTDv templates. The left side is completely user-defined.

Note: Application-initiated outbound traffic will not go through the FTDv.

FTDv Auto Scaling for AWS

Auto Scale Solution for FTDv on Azure

FTDv Auto Scale for Azure is a complete serverless implementation which makes use of serverless infrastructure provided by Azure (Logic App, Azure Functions, Load Balancers, Security Groups, Virtual Machine Scale Set, etc.).

Some of the key features of the FTDv Auto Scale for Azure implementation include:

  • Completely automated FTDv instance registration and deregistration with the FMC.

  • NAT policy, Access policy, and Routes automatically applied to scaled-out FTDv instances.

  • Support for standard Load Balancers.

  • Supports FTDv deployment om multi-availability zones.

  • Support for enabling and disabling the Auto Scale feature.

  • Azure Resource Manager (ARM) template-based deployment.

  • Works only with FMC; the Firepower Device Manager is not supported

  • Support to deploy the FTDv with PAYG or BYOL licensing mode. PAYG is applicable only for FTDv software version 6.5 and onwards

  • Cisco provides an Auto Scale for Azure deployment package to facilitate the deployment.

Auto Scale Use Case (Azure)

The FTDv Auto Scale for Azure is an automated horizontal scaling solution that positions an FTDv scale set diagram for Azure Autoscale sandwiched between an Azure Internal load balancer (ILB) and an Azure External load balancer (ELB).

  • The ELB distributes traffic from the Internet to FTDv instances in the scale set; the firewall then forwards traffic to application.
  • The ILB distributes outbound Internet traffic from an application to FTDv instances in the scale set; the firewall then forwards traffic to Internet.
  • A network packet will never pass through both (internal & external) load balancers in a single connection.
  • The number of FTDv instances in the scale set will be scaled and configured automatically based on load conditions.

FTDv Auto Scaling for Azure

Deployment Templates

View code on GitHub

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.