| VPC/VNet |
You can select an existing Service VPC/VNet from the drop-down list or click + Create SVPC to create a new one. After creation and activation, the wizard auto-populates the related network fields. This step can take up to three to four minutes.
|
| Resource Group |
Select the resource group that owns the deployment resources. |
| Mgmt. Security Group |
Select the security group to associate with the management interface. |
| Datapath Security Group 1 |
Select the security group to associate with datapath 1 interface. |
| Datapath Security Group 2 |
Select the security group to associate with datapath 2 interface. |
| Availability Zone |
(Optional) Select the specific availability zone within a cloud region where a particular FTDv gateway instance is deployed. Click + Add Availability Zone to add a new availability zone. |
| Management Subnet |
(Optional) Select the subnet for the management interface in the selected availability zone. |
| Datapath Subnet 1 |
(Optional) Select the subnet for the primary datapath interface in the selected availability zone. |
| Datapath Subnet 2 |
(Optional) Select the subnet for the secondary datapath interface. |
| Cisco Secure Firewall Threat Defense Virtual |
| License Model |
Select the licensing model for the deployment: Smart Licensing or Gateway Hours |
| Smart Licensing/Gateway Hours |
| Software Version |
Select the FTDv release to deploy. |
| Admin Password |
Enter the Admin password. It must be between 12 and 72 characters in length and include uppercase and lowercase letters, numeric digits, and special characters, excluding the backslash (\) and hyphen (-) characters. The password cannot contain more than two identical or sequential characters in a row (such as 'aaa' or '123'). |
| Policy Ruleset |
Select the FMC policy to attach to the FTDv deployment. |
| Performance Tier |
(Smart Licensing only) Expand the drop-down menu and select the appropriate performance tier for your device. FTDv50 is selected by default. |
| License Types |
(Smart Licensing only) Expand the drop-down menu and select the appropriate license type that you have purchased or will purchase in the future. The Base license is auto-selected. For more information about different licensing types, refer to Licensing. If you want to enable malware defense features, you must also have the THREAT license active. The THREAT license is required to support the MALWARE license functionalities. |
| Gateway Configuration |
| Instance Type |
Select the VM size used for the gateway instances. |
| Minimum Instances |
(Optional) Enter the minimum number of instances that you plan to deploy. This must be at least 1. |
| Maximum Instances |
(Optional) Enter the maximum number instances that you plan to deploy. This is the maximum number that is used for auto-scaling in each availability zone. This number must be greater than or equal to minimum instances. |
| Health Check Port |
(Optional) Enter the port number that the load balancer uses to check instance health. Datapath security groups assigned to the instance(s) must allow traffic on this port. The default port is 65534, and the valid range is from 1 to 65535. |
| Azure Configuration |
| Key Selection |
You can either provide an SSH Public Key directly or select an existing SSH Key Pair from the drop-down list. |
| Disk Encryption |
Select either a provider-managed encryption key or a customer-managed key (CMK). If using a CMK, provide the Disk Encryption Set ID. |
| Advanced Settings |
| Disable Public IP |
Check the Disable Public IP check box. Disabling this setting reduces the exposure of your network to external threats. Private IP addresses help protect against unauthorized access, potential attacks, and provide better control over internal traffic. This setting applies only when using NAT-based service and only for data interfaces. |