© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 16
White Paper
Cisco Firepower Next-Generation Firewall Virtual (NGFWv) and
Adaptive Security Virtual Appliance (ASAv) in Public Cloud
(Azure and AWS)
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 16
Contents
What you will learn .................................................................................................................................................. 4
Deployment modes .................................................................................................................................................. 4
Cisco FMCv and NGFWv in the public cloud ........................................................................................................ 5
Cisco ASAv in the public cloud .............................................................................................................................. 6
Cisco NGFWv and ASAv performance................................................................................................................... 6
Cisco NGFWv and ASAv licensing ......................................................................................................................... 6
ARM template deployment for Cisco NGFWv and ASAv in Azure .................................................................... 13
Cisco NGFWv and ASAv cloud formation template in AWS .............................................................................. 14
Additional resources ............................................................................................................................................. 15
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 16
How Cisco NGFWv delivers the threat protection you need
The Cisco Firepower® Next-Generation Firewall Virtual (NGFWv), or Firewall Threat Defense (FTDv), is an
industry-leading intelligent security virtual appliance. It gives you threat protection, real-time contextual awareness,
and full stack visibility. This highly effective, highly reliable next-generation firewall is available at a low total cost of
ownership. Threat protection can be expanded with optional subscription licenses for Cisco Firepower NGIPS
Advanced Malware Protection (AMP) and URL Filtering capabilities.
Cisco Firepower NGFWv in Amazon Web Services (AWS) or Microsoft Azure must be managed by a Cisco
Firepower Management Center (FMC) residing in AWS or on-premises. The virtual FCM can be deployed on
VMware ESXi, on KVM, and in AWS. Figure 1 shows the various FMC dashboards.
Figure 1. Cisco FMC dashboards for configuring, managing, and checking events
The physical and virtual Cisco Firepower NGFW appliances offer the same threat protection features and
centralized management, so you gain consistent security effectiveness and visibility across physical and
virtual workloads.
Cisco® AMP for Networks protects against sophisticated, targeted, zero-day, and persistent advanced threats. AMP
continuously analyses files and network traffic for threats that evade your first lines of defense.
Cisco Application Visibility and Control reduces the potential surface area of attacks through the granular control of
thousands of applications. It enforces mobile, social, and other acceptable-use policies.
Cisco NGFWv in the cloud also provides advanced stateful firewall and VPN functionality (IPsec, SSL VPN, and
client SSL VPN support) in one device.
The Cisco Adaptive Security Virtual Appliance (ASAv) is based on the best-selling Cisco Adaptive Security
Appliance (ASA). It runs the same software as physical Cisco ASAs to deliver proven security functionality in a
virtual form factor. Use Cisco ASAv to protect virtual workloads in the public cloud. And use it to deliver site-to-site,
remote-access, and clientless VPN as a service in public cloud deployments. Figure 2 lists the main
ASAv features.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 16
Figure 2. Cisco ASAv features
Cisco ASAv offers the REST API, an HTTP-based interface that facilitates management of the appliance, including
changing its security policy and monitoring its status. Using REST APIs, multiple solutions can be used to manage
both physical and virtual instances of Cisco ASA.
What you will learn
The industry is moving toward a public cloud and hybrid cloud environment. This document covers how you can
combine native security in the cloud with widely proven Cisco virtual appliances (Cisco Firepower NGFWv and
Cisco ASAv) and provide a public cloud administrator with better protection and visibility.
We will cover deployment modes, licensing, use cases, High Availability (HA), stateless scale-out design, and the
management of virtual appliances using on-premises or cloud resources.
Deployment modes
The Cisco NGFW virtual appliance is available in the AWS and Azure marketplaces. In AWS, it can be deployed in
routed and passive modes. Passive mode design requires ERSPAN, the Encapsulated Remote Switched Port
Analyzer, which is currently not available in Azure.
In passive mode, NGFWv inspects packets like an Intrusion Detection System (IDS) appliance, but no action can
be taken on the packet.
In routed mode NGFWv acts as a next hop for workloads. It can inspect packets and also take action on the packet
based on rule and policy definitions.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 16
Cisco FMCv and NGFWv in the public cloud
Cisco Firepower® Next-Generation Firewall Virtual is available in AWS and Azure and Cisco Firepower
Management Center Virtual is available in AWS.
Figure 3. AWS and Azure instance types for Cisco Firepower Next-Generation Firewall Virtual and Cisco Firepower Management Center
In the AWS Marketplace, we have offerings for Cisco NGFWv (FTDv) and Cisco FMCv. FMCv is required to
manage the NGFWv. You can provision FMCv in AWS or use an on-premises FMC (physical or virtual). Cisco
offers two FMCv models in AWS. Each model can manage up to 25 NGFWv appliances. The larger instance of
FMCv has a larger RAM, so it can handle more events. Cisco NGFW is supported on the c3.xlarge instance as well
as c4.xlarge, which has 4 interfaces.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 16
Cisco ASAv in the public cloud
We offer Cisco ASAv in both AWS and Azure. It can be managed using CLI, REST API, the Cisco Adaptive
Security Device Manager (ASDM), Cisco Security Manager, and the Cisco Defense Orchestrator (see Figure 6).
Figure 4. AWS and Azure instance types for Cisco ASAv
In the AWS Marketplace, we have offerings for Cisco ASAv to provide firewall functionality. Cisco ASAv10 supports
250 VPN endpoints, and Cisco ASAv30 supports 750 VPN endpoints.
Cisco NGFWv and ASAv performance
Cisco NGFWv and ASAv are offered as 1 Gbps virtual appliances in Azure and AWS. Performance may vary
based on the features used on the virtual appliance. Example VPN, NGIPS, URL filtering, and AMP. Please refer to
Cisco NGFW performance estimator:
https://ngfwpe.cisco.com
Cisco NGFWv and ASAv licensing
Cisco NGFWv and ASAv are licensed through Cisco Smart Licensing. Cisco Smart Software Licensing is a new
way of thinking about licensing. It adds flexibility to your licensing and simplifies it across the enterprise.
Smart Software licensing delivers visibility into your license ownership and consumption. Know what you own and
how you are using it. Benefit from more straightforward, standardized offers, license platforms, and policies. Make
better educated purchase decisions to lower your operating costs. Discover the ease of deployment with automatic
license activation.
This licensing model is:
● Simple: Procure, deploy, and manage licenses easily. Devices self-register, removing the need for product
Activation Keys (PAKs).
● Flexible: Pool license entitlements in a single account. Move licenses freely through the network, wherever
you need them.
● Smart: Manage your license deployments with real-time visibility of ownership and consumption.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 16
We support a Bring-Your-Own-License (BYOL) in Azure and AWS. We also have a flexible “hourly or annual”
license for AWS. There is no Cisco Technical Assistance Center (TAC) support on the hourly or annual license.
Users are billed for the license and instance cost by AWS.
The NGFWv base license is required to enable firewall throughput plus application visibility and control. We also
offer term-based licenses for IPS, URL Filtering and AMP functionality. If no license is installed, you get a lab
license that entitles you to use 100 Kbps and 100 connections per second. (See Figure 6.)
Figure 5. Base and term-based licenses in AWS and Azure
Note: No Cisco TAC support from AWS pay-as-you-go model license model but you can purchase one-year
TAC support from listed partner:
https://aws.amazon.com/marketplace/pp/B01HQPRQMQ?qid=1522335115947&sr=0-7&ref_=srh_res_product_title
An ASAv standard license is required to enable throughput. If no license is installed, you get a lab license that
entitles you to 100 Kbps and 100 connections per second. In addition to the standard license, we also offer Cisco
AnyConnect® VPN licenses (ASAv10 supports 250 VPN endpoints, and ASAv30 supports 750 VPN endpoints.)
An Azure ASAv10 (Standard D3 and D3v2) instance can support 750 VPN endpoints. (See Figure7.)
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 16
Figure 6. Standard and Cisco AnyConnect licenses in AWS and Azure
Deployment Models for Cisco NGFWv in Azure and AWS
Cisco NGFWv in Azure (routed mode)
Cisco NGFWv is deployed in routed mode and managed by an on-premises FMC or FMC running in AWS.
Interfaces are numbered from eth0 through eth3. By default, eth0 gets an IP address from the private range, and it
is mapped to a public IP address on the Azure Gateway. You can manage NGFWv using the public IP address or
an internal address for Azure express route connectivity.
eth1 is a diagnostics interface, and eth2 and eth3 are data interfaces.
Multiple IP addresses can be assigned on eth2 for one-to-one translation to internal workloads (Figure 12).
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 16
Figure 7. Deployment model for Cisco NGFWv in Azure (routed mode)
Cisco NGFWv in AWS (routed mode)
Cisco NGFWv is deployed in routed mode and managed by an on-premises FMC or FMC running in AWS.
Interfaces are numbered from eth0 through eth3. By default, eth0 gets an IP address from the private range, and it
is mapped to a public IP address on the Azure Gateway. You can manage NGFWv using the public IP address or
an internal address for AWS Direct Connect.
eth1 is a diagnostics interface, and eth2 and eth3 are data interfaces.
Multiple IP addresses can be assigned on eth2 for one-to-one translation to internal workloads (Figure. 9).
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 16
Figure 8. Deployment model for Cisco NGFWv in AWS (routed mode)
Cisco NGFWv in AWS (passive mode)
Cisco NGFWv can be deployed in passive mode. It works like an intrusion detection system (IDS) device. In a
passive IPS deployment, the NGFWv uses ERSPAN to monitor traffic flowing across a network. ERSPAN allows
for traffic to be copied. This capability gives you system visibility without being in the flow of network traffic. When
configured in a passive deployment, the system cannot take certain actions such as blocking or shaping traffic.
Passive interfaces receive all traffic unconditionally, and no traffic received on these interfaces is retransmitted
(Figure 10).
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 16
Figure 9. Deployment model for Cisco NGFWv in AWS (passive mode)
Deployment Models for Cisco ASAv in Azure and AWS
Cisco ASAv in Azure (routed mode)
Cisco ASAv can be deployed in routed mode with 4 interfaces (see Figure 11). Of these, eth0 is a management
and data interface. It gets an IP from the private range, and it is translated to an external IP address on the Azure
Gateway. The Cisco ASAv image is bundled with the Cisco ASDM image and a REST API plug-in for
orchestration. In case of Azure express route connectivity, ASAv can be managed using an internal IP address.
We support active/standby high availability on ASAv running in Azure.
Cisco ASAv supports IPsec and Cisco AnyConnect VPNs.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 16
Figure 10. Deployment model for Cisco ASAv in Azure (routed mode)
Cisco ASAv in AWS (routed mode)
Cisco ASAv can be deployed in routed mode with 4 interfaces (see Figure 12). Of these, eth0 is a management
and data interface. It gets an IP from the private range, and it is translated to an external IP address on the AWS
gateway. The Cisco ASAv image is bundled with the ASDM image and a REST API plug-in for orchestration. ASAv
can be managed using an internal IP address for AWS Direct Connect.
Cisco ASAv supports IPsec and AnyConnect VPNs.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 16
Figure 11. Deployment model for Cisco ASAv in AWS (routed mode)
ARM template deployment for Cisco NGFWv and ASAv in Azure
In Azure, the Azure Resource Manager (ARM) is the management layer (API). You can deploy Cisco ASAv and
NGFWv using the ARM template. But before you can actually deploy those resources, you have to provide the
group, storage account, availability set and virtual network with the appropriate subnet. The steps for deploying
ARM are in Figure 13.
Figure 12. Deploying NGFWv and ASAv using the Azure Resource Manager
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 16
Here are more resources about templates:
Cisco NGFWv ARM Template: https://cs.co/NGFWvARMTemplate
Cisco ASAv ARM Template: https://cs.co/ASAvARMTemplate
Cisco ASAv template deployment (video): https://cs.co/CiscoASAvTDeploymentAzure
Cisco NGFWv template deployment (video):
https://www.youtube.com/watch?v=nczS4HznPaA&list=PL5SvLIjumxqIzv2I0ZU9BCBgwqmEac_3G&index=1
Cisco NGFWv and ASAv cloud formation template in AWS
In AWS, a cloud formation template (CF template) is the management layer (API where you connect to for
deploying resources). You can deploy Cisco ASAv and NGFWv using a CF template. (See Figure 18.)
Figure 13. Deploying a CF template in AWS
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 16
Additional resources
Cisco Next-Generation Firewall Virtual (NGFWv) data sheet:
https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/datasheet-c78-736661.html
Cisco Firepower Management Center (FMC) data sheet:
https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-
736775.html
Cisco Adaptive Security Virtual Appliance (ASAv) data sheet:
https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/datasheet-c78-
733399.html
Cisco NGFWv in AWS Marketplace offering (BYOL): https://cs.co/CiscoNGFWvBYOL
Cisco NGFWv in AWS Marketplace offering (hourly and annual): https://cs.co/CiscoNGFWvHourlyAnnual
Cisco FMCv in AWS Marketplace offering (BYOL): https://cs.co/CiscoFMCvBYOL
Cisco ASAv in AWS Marketplace offering (BYOL, hourly and annual): https://cs.co/CiscoASAvBYOLHourlyAnnual
Cisco NGFWv in Azure Marketplace offering (BYOL): https://cs.co/CiscoNGFWv
Cisco ASAv in Azure Marketplace offering (BYOL): https://cs.co/CiscoASAv
Cisco ASAv licensing (BYOL): https://cs.co/ASAvLicensing
Cisco NGFWv licensing (BYOL): https://cs.co/CiscoNGFWvLicensing
Cisco NGFWv ARM Template: https://cs.co/NGFWvARMTemplate
Cisco ASAv ARM Template: https://cs.co/ASAvARMTemplate
Cisco NGFWv and ASAv in Public Cloud YouTube Channel: https://cs.co/DCandCloudSecurity
Cisco Security TME YouTube channel (Cisco Application Centric Infrastructure security, private and public cloud
security): https://cs.co/AdvanceSecurityPrivatePublicCloud
Cisco NGFWv and FMCv deployment in AWS and threat policy blocking malware:
Part 1: https://cs.co/CiscoNGFWvinAWS1
Part 2: https://cs.co/CiscoNGFWvinAWS2
Part 3: https://cs.co/CiscoNGFWvinAWS3
Cisco NGFWv deployment in Azure: https://cs.co/NGFWvAzureDeployment
Cisco Firepower NGFWv in Azure: Protect vNET workloads in north-south and east-west traffic:
https://cs.co/CiscoNGFWvNSEW
Cisco NGFWv micro segmentation use case in Azure: https://cs.co/MicroSegmentation
Cisco NGFWv template deployment in Azure:
https://www.youtube.com/watch?v=nczS4HznPaA&list=PL5SvLIjumxqIzv2I0ZU9BCBgwqmEac_3G&index=1
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 16
Cisco ASAv deployment in AWS: https://cs.co/CiscoASAvDeploymentAWS
Cisco ASAv deployment in Azure: https://cs.co/CiscoASAvDeploymentAzure
Cisco ASAv template deployment: https://cs.co/CiscoASAvTDeploymentAzure
Cisco ASAv scale out design in AWS: https://cs.co/CiscoASAvScaleoutAWS
Cisco ASAv scale out design in Azure: https://cs.co/CiscoASAvAzureScaleout
Cisco NGFWv and ASAv multiple IP assignments: https://www.youtube.com/watch?v=FUZMTBZrA74
Printed in USA C11-740505-00 10/18