Starting with Firepower 7.2, Cisco announced the ability to manage these firewalls using a Cisco hosted Cloud-Delivered Firewall Management Center (cdFMC). I recently had a project setting up cdFMC for the first time so I figure I would go over what I learned and show how to access cdFMC, how to import policies, and join your first Firepower firewall.
Accessing cdFMC
CdFMC is not a standalone cloud product, like some of Cisco's other cloud products, but a module within Cisco's Defense Orchestrator (CDO). The first thing you will need is an account in CDO. Once in CDO, if your organization doesn't have cdFMC enabled then you have to request it from Cisco. Obviously with anything Cisco, there is a license that must be purchased and placed in your Smart Account before Cisco will spin up the cdFMC.
To deploy the cdFMC go to the Inventory and click the + button in the upper right corner. This will bring up the onboarding screen, this is how you will onboard any of the devices that CDO monitors. Click on the FTD, if you don't have cdFMC this is where you will need to request one. This will start the backend provisioning process.
Once the cdFMC is provisioned, to access it you need to go over to Tools & Services > Firewall Management Center. This will show the page where the cdFMC instance is running.
Click on the running instance and you will see a menu appear on the right-hand side. For anyone familiar with the on-premise version of FMC you may recognize the menu options as the top level options on the header of FMC. Click any of these options and you will be launched into the FMC GUI we are familiar with.
At this point the process to configure cdFMC is no different than the process to configure the on-premise version of FMC. For me, I like to start by linking the Smart Account to cdFMC so that any firewall licenses can be correctly consumed. I should note that while the licenses for cdFMC are different than the licenses for on-premise FMC, the licenses for the actual firepower firewalls (base, threat, malware, URL, and RA VPN) are exactly the same. This is important if you are migrating from on-premise FMC to cdFMC. The only new license needed is the license for cdFMC, but you can use your existing licenses for the firewalls you migrating over.
Migrating policy between FMC and CDFMC
As part of my project deploying cdFMC, I had to migrate some of the policies from the customers on-premise FMC to their new cdFMC. In preparation for this deployment we upgraded the existing FMC to 7.2, however when we deployed the cdFMC it was deployed using version 7.3. This meant that we cannot use the import/export tool built into the on-premise FMC as they are not backwards compatible. The lesson learned, I would have first deployed cdFMC, figured out which version is deployed, then upgrade the on-premise FMC to that version so that I could use the import/export tool.
Ultimately the policy was simple enough that I just recreated it, but for larger more complex policies going though the upgrade process to get the old FMC and cdFMC is worth the hassle.
Deploying a firewall
Now that we have the cdFMC deployed and policies written, its time to register our first firewall. Registering a firewall with cdFMC is surprisingly similar to registering one to the on-premise version. The main difference is that you don't register the device to cdFMC directly, but though CDO.
Similar to creating the cdFMC instance, on the Inventory page click the + in the upper right hand corner. From there choose the FTD option. This time you will be presented with a few options:
You can either import a firewall using the CLI registration key, just like one would to an on-premise FMC, or by using serial numbers for a zero touch deployment. For this project we used CLI Registration, so I will talk about this method.
Once the deployment option is chosen, the next page is where you add the device details. First you need to name the firewall, then add the policy assignment (this is why I like to add policy before registering devices), finally add the subscription licenses for the firewall.
Finally once you hit next you are presented with a registration key. Those familiar with registering a FTD to an on-premise FMC will be familiar with this command but with a twist. The on-premise version of the command uses "configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE } regkey [nat_id]", CDO has you resolve to your companies CDO instance registration URI with two registration keys followed by the CDO instance URI.
Because CDO / cdFMC uses the same registration mechanism for FTD firewalls, this means that the same commands used to move the sftunnel interfaces from the management interface to a data interface will also work. For standalone firewalls, moving the sftunnel interface to be the same as the outside interface of the firewall solves the chicken and egg situation where to get to the internet you need to pass though the firewall you are configuring. By moving the sftunnel interface to the outside you only need basic IP information, rather than configuring full NAT policies that will be overwritten when joined to cdFMC.
Once the command is added to the CLI then you will see the device in the inventory page of CDO. Note you can preconfigure devices in CDO then when you are ready to apply the CLI command you can come back here, select the firewall, and the registration key is displayed on the right hand side.
Once registered you will then see the device automatically added as a device in the cdFMC page. Configure the device just like you would on the on-premise FMC.
Hopefully this post helps you understand the different components of a cdFMC deployment and how similar yet different it is to the on-premise FMC version. If you have any questions, or would like to have Lookingpoint setup your new cdFMC contact us at sales@lookingpoint.com!
Trevor Butler, Network Architect