Onboard a Threat Defense Virtual Device with Azure VNet

Use this procedure to provision and onboard a threat defense virtual for Azure VNet that is managed by cloud-delivered Firewall Management Center.

The Azure VNet environment can only support one threat defense virtual. If you intend on onboarding multiple devices, you must have a separate Azure VNet for each of those devices.

Before you begin

You must have an Azure VNet instance already onboarded to CDO. See Onboard an Azure VNet Environment for more information.

Procedure

Step 1

Log into CDO.

Step 2

In the navigation pane, click Inventory and click the blue plus button.

Step 3

Click the FTD tile.

Step 4

Under Management Mode, be sure FTD is selected.

Warning

By selecting FTD under Management Mode, the device will be reconfigured to use the cloud-delivered Firewall Management Center as the manager.

Step 5

Click Deploy an FTD to a cloud environment as the onboarding method.

Step 6

(Optional) If you have not already registered your CDO account to an Azure subscription, you can do so now. Click the hyplink to launch the Azure cloud shell and paste the script that is provided. If you have already registered your account or if you have just completed executing the script, click Next.

Step 7

Use the drop-down menu to select the Azure VNet that you've previously onboarded and click Next.

Step 8

Confirm the following subnet values for the firewall. Optionally, you can manually change the values if the valid values are not automatically generated. Click Next.

  • Management subnet CIDR

  • Diagnostic subnet CIDR

  • GigabitEthernet 0/0 subnet CIDR

  • GigabitEthernet 0/1 subnet CIDR

Step 9

Enter a Device Name. This name is applied to the threat defense virtual in the Inventory page and not the Azure VNet instance.

Step 10

In the Policy Assignment step, use the drop-down menu to select an access control policy to deploy once the device is onboarded. If you have no policies configured, select the Default Access Control Policy.

Step 11

Select the licenses you want to apply to the device. You must select at least the essential license as the base license for this device. Click Next.

Step 12

Click Complete onboarding. This final step completes the onboarding wizard. It may take up to 20 minutes for the device to fully onboard and synchronize. To monitor the creation process, expand the workflows option of the Azure VNet that is hosting the device.

What to do next

Once the device is synchronized, select the device you just onboarded from the Inventory page and select any of the options listed under the Device Management pane located to the right. We strongly recommend the following actions:

  • If you did not already, create a custom access control policy to customize the security for your environment. See Access Control Overview in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator for more information.

  • Enable Cisco Security Analytics and Logging (SAL) to view events in the CDO dashboard or register the device to an Secure Firewall Management Center for security analytics. See Cisco Security Analytics and Logging in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator for more information.