Solved: Cisco FTD-Virtual

TheGoob · ‎02-20-2025

Hi, not sure if this is the correct forum but I had a question.

I was dabbling with the idea of going FTD-V but was curious about it's limitations. Am I restricted to having 4 Ports only, or can I pass through 2 NIC's, 1 2 Port for WAN and then Maintenance and then a 4 Port 10G [So, 4 10G] NIC for LAN, each port it's own Network, but residing on 10G.

So, #1 will the FTP-V support 10G throughput and #2 can I have this many Ports?

balaji.bandi · ‎02-21-2025

As far as I know, you can have 10 Interfaces, but initially, 4 Interfaces, as per my reading when I was looking. (I do not have the right document in hand; I am sure it was captured in the installation document 7. X onwards)

If you offer dedicated interfaces on the ESXi side, I see no issue with adding a 10GB interface.

Make sure you use the proper interface attached to the virtual deployment.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Sheraz.Salim · ‎02-21-2025

The Cisco Firepower Threat Defense Virtual (FTDv) supports 10G throughput with the appropriate license tier and hardware resources. The FTDv50 and FTDv100 tiers can achieve 10 Gbps and 15.5 Gbps throughput respectively, given sufficient vCPU and memory allocationHere . Regarding the number of ports, FTDv is not inherently limited to 4 ports. The number of network interfaces you can configure depends on the hypervisor and available resources, potentially allowing for the desired configuration of 2 ports for WAN and maintenance, and 4 ports for 10G LAN1 Here and Here . However, it's crucial to note that at least four interfaces must be assigned during initial configuration(1xMgmt,1xInside,1xOutside,1xDMZ)

please do not forget to rate.

View solution in original post

liviu.gheorghe · ‎02-21-2025

The FTDv, according to Cisco documentation, can support a throughput of up to 10Gbps - Table 2: https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-virtual-ngfwv-ds.html

The threat defense virtual deploys with 10 interfaces, and must be powered up at firstboot with at least 4 interfaces. Take a look at this guide for more details: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-vmware-gsg.html#id_107352

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

balaji.bandi · ‎02-21-2025

As far as I know, you can have 10 Interfaces, but initially, 4 Interfaces, as per my reading when I was looking. (I do not have the right document in hand; I am sure it was captured in the installation document 7. X onwards)

If you offer dedicated interfaces on the ESXi side, I see no issue with adding a 10GB interface.

Make sure you use the proper interface attached to the virtual deployment.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sheraz.Salim · ‎02-21-2025

The Cisco Firepower Threat Defense Virtual (FTDv) supports 10G throughput with the appropriate license tier and hardware resources. The FTDv50 and FTDv100 tiers can achieve 10 Gbps and 15.5 Gbps throughput respectively, given sufficient vCPU and memory allocationHere . Regarding the number of ports, FTDv is not inherently limited to 4 ports. The number of network interfaces you can configure depends on the hypervisor and available resources, potentially allowing for the desired configuration of 2 ports for WAN and maintenance, and 4 ports for 10G LAN1 Here and Here . However, it's crucial to note that at least four interfaces must be assigned during initial configuration(1xMgmt,1xInside,1xOutside,1xDMZ)

please do not forget to rate.

liviu.gheorghe · ‎02-21-2025

The FTDv, according to Cisco documentation, can support a throughput of up to 10Gbps - Table 2: https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/threat-defense-virtual-ngfwv-ds.html

The threat defense virtual deploys with 10 interfaces, and must be powered up at firstboot with at least 4 interfaces. Take a look at this guide for more details: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-vmware-gsg.html#id_107352

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-21-2025

WoW, Wonderful answers, I thank you.

TheGoob · ‎03-02-2025

Does anyone know offhand if let’s say I have 4 Interfaces dedicated to the FTDV VM and all works well, but wanna replace Interface 7/8 (Same physical interface) can I swap it out or will it cause any issues? They will most assuredly be different drivers as it would be a newer card.

liviu.gheorghe · ‎03-02-2025

It would not impact anything in my opinion - you are working with a FTDv VM and all it will see is what the hypervisor will present to it - a E1000 interface cards for example. As long as you configure/assign the new cards in the same way as the old ones, nothing should change for the FTDv VM.

One of the functions of a hypervisor is to abstract physical hardware which in this case helps minimize the impact of the change in hardware.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-08-2025

Well I must have something wrong as I added 9 Interfaces [all same hardware type] to the VM... 1-3 management, reserved and outside, 4-9 'inside' Interfaces but only 7 show up on the FTD.

Now it is a 6.4.x FTD-V so maybe issues with that, but then I would assume none of the interfaces would show up, not 7 of 9

liviu.gheorghe · ‎03-09-2025

If you read this guide https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-vmware-gsg.html#id_107352 the chapter Adding Interfaces states:

Adding Interfaces

You can have a total of 10 interfaces (1 management, 1 reserved for internal use, 8 data interfaces) when you deploy a threat defense virtual device. For data interfaces, make sure that the Source Networks map to the correct Destination Networks, and that each data interface maps to a unique subnet or VLAN.

Caution

You cannot add more virtual interfaces to the virtual machine and then have the threat defense virtual automatically recognize them. Adding interfaces to a virtual machine requires that you completely wipe out the threat defense virtual configuration. The only part of the configuration that remains intact is the management address and gateway settings.

If you need more physical-interface equivalents for a threat defense virtual device, you basically have to start over. You can either deploy a new virtual machine, or you can use the "Scan for Interface Changes, and Migrate an Interface" procedure in the Cisco Secure Firewall Device Manager Configuration Guide.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-09-2025

Hey there alright I will look into that. Ty

TheGoob · ‎03-09-2025

On a fresh install, it only sees 7 of the 9 Interfaces... Off a fresh install. All physical NIC's are the same and all are using the same VM driver.. That really is no biggie but it seems this -V is more advanced as there are no vlan configurations under Interfaces. It probably is something not for me at this stage.

I suppose instead of vlans I could just make routed interfaces w/ dhcp but what gets me is the missing Interface[s] as now I am NOT confident of which ones are actually being utilized.

balaji.bandi · ‎03-09-2025

I'm not sure about the version you mentioned already. I run FTD 7.X on my virtual environment, and I can see 9 interfaces (8 and 1 mgmt).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help