topic Re: Cisco FTD-Virtual in Network Security

Cisco FTD-Virtual

TheGoob — Fri, 21 Feb 2025 01:39:15 GMT

Hi, not sure if this is the correct forum but I had a question.

I was dabbling with the idea of going FTD-V but was curious about it's limitations. Am I restricted to having 4 Ports only, or can I pass through 2 NIC's, 1 2 Port for WAN and then Maintenance and then a 4 Port 10G [So, 4 10G] NIC for LAN, each port it's own Network, but residing on 10G.

So, #1 will the FTP-V support 10G throughput and #2 can I have this many Ports?

Re: Cisco FTD-Virtual

balaji.bandi — Fri, 21 Feb 2025 08:18:56 GMT

As far as I know, you can have 10 Interfaces, but initially, 4 Interfaces, as per my reading when I was looking. (I do not have the right document in hand; I am sure it was captured in the installation document 7. X onwards)

If you offer dedicated interfaces on the ESXi side, I see no issue with adding a 10GB interface.

Make sure you use the proper interface attached to the virtual deployment.

Re: Cisco FTD-Virtual

Sheraz.Salim — Fri, 21 Feb 2025 08:32:04 GMT

The Cisco Firepower Threat Defense Virtual (FTDv) supports 10G throughput with the appropriate license tier and hardware resources. The FTDv50 and FTDv100 tiers can achieve 10 Gbps and 15.5 Gbps throughput respectively, given sufficient vCPU and memory allocationHere . Regarding the number of ports, FTDv is not inherently limited to 4 ports. The number of network interfaces you can configure depends on the hypervisor and available resources, potentially allowing for the desired configuration of 2 ports for WAN and maintenance, and 4 ports for 10G LAN1 Here and Here . However, it's crucial to note that at least four interfaces must be assigned during initial configuration(1xMgmt,1xInside,1xOutside,1xDMZ)

Re: Cisco FTD-Virtual

liviu.gheorghe — Fri, 21 Feb 2025 08:58:34 GMT

The FTDv, according to Cisco documentation, can support a throughput of up to 10Gbps - Table 2: https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-virtual-ngfwv-ds.html

The threat defense virtual deploys with 10 interfaces, and must be powered up at firstboot with at least 4 interfaces. Take a look at this guide for more details: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-vmware-gsg.html#id_107352

HTH

Re: Cisco FTD-Virtual

TheGoob — Fri, 21 Feb 2025 18:58:52 GMT

WoW, Wonderful answers, I thank you.

Re: Cisco FTD-Virtual

TheGoob — Mon, 03 Mar 2025 00:10:57 GMT

Does anyone know offhand if let’s say I have 4 Interfaces dedicated to the FTDV VM and all works well, but wanna replace Interface 7/8 (Same physical interface) can I swap it out or will it cause any issues? They will most assuredly be different drivers as it would be a newer card.

Re: Cisco FTD-Virtual

liviu.gheorghe — Mon, 03 Mar 2025 06:47:10 GMT

It would not impact anything in my opinion - you are working with a FTDv VM and all it will see is what the hypervisor will present to it - a E1000 interface cards for example. As long as you configure/assign the new cards in the same way as the old ones, nothing should change for the FTDv VM.

One of the functions of a hypervisor is to abstract physical hardware which in this case helps minimize the impact of the change in hardware.

Re: Cisco FTD-Virtual

TheGoob — Sun, 09 Mar 2025 03:54:31 GMT

Well I must have something wrong as I added 9 Interfaces [all same hardware type] to the VM... 1-3 management, reserved and outside, 4-9 'inside' Interfaces but only 7 show up on the FTD.

Now it is a 6.4.x FTD-V so maybe issues with that, but then I would assume none of the interfaces would show up, not 7 of 9

Re: Cisco FTD-Virtual

liviu.gheorghe — Sun, 09 Mar 2025 09:50:25 GMT

If you read this guide https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-vmware-gsg.html#id_107352 the chapter Adding Interfaces states:

Adding Interfaces

You can have a total of 10 interfaces (1 management, 1 reserved for internal use, 8 data interfaces) when you deploy a threat defense virtual device. For data interfaces, make sure that the Source Networks map to the correct Destination Networks, and that each data interface maps to a unique subnet or VLAN.

Caution

You cannot add more virtual interfaces to the virtual machine and then have the threat defense virtual automatically recognize them. Adding interfaces to a virtual machine requires that you completely wipe out the threat defense virtual configuration. The only part of the configuration that remains intact is the management address and gateway settings.

If you need more physical-interface equivalents for a threat defense virtual device, you basically have to start over. You can either deploy a new virtual machine, or you can use the "Scan for Interface Changes, and Migrate an Interface" procedure in the Cisco Secure Firewall Device Manager Configuration Guide.

Re: Cisco FTD-Virtual

TheGoob — Sun, 09 Mar 2025 13:52:25 GMT

Hey there alright I will look into that. Ty

Re: Cisco FTD-Virtual

TheGoob — Sun, 09 Mar 2025 16:54:52 GMT

On a fresh install, it only sees 7 of the 9 Interfaces... Off a fresh install. All physical NIC's are the same and all are using the same VM driver.. That really is no biggie but it seems this -V is more advanced as there are no vlan configurations under Interfaces. It probably is something not for me at this stage.

I suppose instead of vlans I could just make routed interfaces w/ dhcp but what gets me is the missing Interface[s] as now I am NOT confident of which ones are actually being utilized.

Re: Cisco FTD-Virtual

balaji.bandi — Sun, 09 Mar 2025 19:09:03 GMT

I'm not sure about the version you mentioned already. I run FTD 7.X on my virtual environment, and I can see 9 interfaces (8 and 1 mgmt).