Solved: NGFWv with Azure Gateway Loadbalancer

S.IIZUKA · ‎11-21-2022

Hello Experts,

I am trying to deploy NGFWv with Azure Gateway Loadbalancer.
https://blogs.cisco.com/security/scale-security-on-the-fly-in-microsoft-azure-cloud-with-cisco-secure-firewall

Azure Gateway Loadbalancer needs two VXLAN tunnels, one for external(Internet) and one for internal(VM workloads).
But in NGFWv, only one VTEP can be configured.

Does anyone have configured NGFWv with Azure Gateway Loadbalancer?
I googled for some examples or cnfiguration guide but couldn't find any information.

Kind regards,

Divya Jain · ‎12-05-2022

Hello,

This is the configuration guide for load balancer : https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-azure-gsg.html

I have not tested this in lab, but i have checked this internally - The minimum version for thie feature is 7.2. However VNI for FTD in Azure will be supported only from 7.3 and above. So basically you cannot do vxlan with gateway load balancer until ver 7.3. There have been some errors around it and it might be a good idea to wait for version 7.3.

You can still try following the above guide and also a this reference video for AWS( similar config for Azure as well ) - https://www.youtube.com/watch?v=EuXrVc2hpNk

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Regards
Divya Jain

View solution in original post

Divya Jain · ‎12-05-2022

Hello,

This is the configuration guide for load balancer : https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-azure-gsg.html

I have not tested this in lab, but i have checked this internally - The minimum version for thie feature is 7.2. However VNI for FTD in Azure will be supported only from 7.3 and above. So basically you cannot do vxlan with gateway load balancer until ver 7.3. There have been some errors around it and it might be a good idea to wait for version 7.3.

You can still try following the above guide and also a this reference video for AWS( similar config for Azure as well ) - https://www.youtube.com/watch?v=EuXrVc2hpNk

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Regards
Divya Jain

S.IIZUKA · ‎12-06-2022

Thank you.
I check the release note of 7.3(released on Nov29!!) and found it as new feature.
Cisco Secure Firewall Threat Defense Release Notes, Version 7.3 - Features and Functionality [Cisco Secure Firewall Threat Defense] - Cisco
Paired proxy VXLAN for the threat defense virtual for the Azure Gateway Load Balancer.