Create the Day0 Configuration With a Customized Configuration for AWS

You can enter the entire cluster bootstrap configuration using commands.

{
    "AdminPassword": "password",
    "Hostname": "hostname",
    "FirewallMode": "Routed",
    "ManageLocally": "No",
    "run_config": [comma_separated_threat_defense_configuration]
    }

Gateway Load Balancer Example

The following example creates a configuration for a Gateway Load Balancer with one Geneve interface for U-turn traffic and one VXLAN interface for the cluster control link. Note the values in bold that need to be unique per node.

A sample day 0 configuration for version 7.4 and later is given below.


{
	"AdminPassword": "Sam&Dean",
	"Hostname": "ftdv1",
	"FirewallMode": "Routed",
	"ManageLocally": "No",
	"run_config": [
		"cluster interface-mode individual force",
		"interface TenGigabitEthernet0/0",
		"nameif geneve-vtep-ifc",
		"ip address dhcp",
		"no shutdown",
		"interface TenGigabitEthernet0/1",
		"nve-only cluster",
		"nameif ccl_link",
		"ip address dhcp",
		"no shutdown",
		"interface vni1",
		"description Clustering Interface",
		"segment-id 1",
		"vtep-nve 1",
		"interface vni2",
		"proxy single-arm",
		"nameif uturn-ifc",
		"vtep-nve 2",
		"object network ccl#link",
		"range 10.1.90.4 10.1.90.19",
		"object-group network cluster#group",
		"network-object object ccl#link",
		"nve 2",
		"encapsulation geneve",
		"source-interface geneve-vtep-ifc",
		"nve 1",
		"encapsulation vxlan",
		"source-interface ccl_link",
		"peer-group cluster#group",
		"jumbo-frame reservation",
		"mtu geneve-vtep-ifc 1826",
		"mtu ccl_link 1980",
		"cluster group ftdv-cluster",
		"local-unit 1",
		"cluster-interface vni1 ip 10.1.1.1 255.255.255.0",
		"priority 1",
		"enable",
		"aaa authentication listener http geneve-vtep-ifc port 7777"
	]
}

A sample day 0 configuration for version 7.3 and earlier is given below.


{
	"AdminPassword": "Sam&Dean",
	"Hostname": "ftdv1",
	"FirewallMode": "Routed",
	"ManageLocally": "No",
	"run_config": [
		"cluster interface-mode individual force",
		"interface TenGigabitEthernet0/0",
		"nameif geneve-vtep-ifc",
		"ip address dhcp",
		"no shutdown",
		"interface TenGigabitEthernet0/1",
		"nve-only cluster",
		"nameif ccl_link",
		"ip address dhcp",
		"no shutdown",
		"interface vni1",
		"description Clustering Interface",
		"segment-id 1",
		"vtep-nve 1",
		"interface vni2",
		"proxy single-arm",
		"nameif uturn-ifc",
		"vtep-nve 2",
		"object network ccl#link",
		"range 10.1.90.4 10.1.90.19",
		"object-group network cluster#group",
		"network-object object ccl#link",
		"nve 2",
		"encapsulation geneve",
		"source-interface geneve-vtep-ifc",
		"nve 1",
		"encapsulation vxlan",
		"source-interface ccl_link",
		"peer-group cluster#group",
		"jumbo-frame reservation",
		"mtu geneve-vtep-ifc 1806",
		"mtu ccl_link 1960",
		"cluster group ftdv-cluster",
		"local-unit 1",
		"cluster-interface vni1 ip 10.1.1.1 255.255.255.0",
		"priority 1",
		"enable",
		"aaa authentication listener http geneve-vtep-ifc port 7777"
	]
}
Note

For the CCL subnet range, specify IP addresses from the CCL subnet CIDR, excluding reserved IP addresses. Refer the table given above for some examples.

For the AWS health check settings, ensure that you specify the aaa authentication listener http port you set here.

Non-Native Load Balancer Example

The following example creates a configuration for use with non-native load balancers with Management, Inside, and Outside interfaces, and a VXLAN interface for the cluster control link. Note the values in bold that need to be unique per node.


{
	"AdminPassword": "W1nch3sterBr0s",
	"Hostname": "ftdv1",
	"FirewallMode": "Routed",
	"ManageLocally": "No",
	"run_config": [
		"cluster interface-mode individual force",
		"interface Management0/0",
		"management-only",
		"nameif management",
		"ip address dhcp",
		"interface GigabitEthernet0/0",
		"no shutdown",
		"nameif outside",
		"ip address dhcp",
		"interface GigabitEthernet0/1",
		"no shutdown",
		"nameif inside",
		"ip address dhcp",
		"interface GigabitEthernet0/2",
		"nve-only cluster",
		"nameif ccl_link",
		"ip address dhcp",
		"no shutdown",
		"interface vni1",
		"description Clustering Interface",
		"segment-id 1",
		"vtep-nve 1",
		"jumbo-frame reservation",
		"mtu ccl_link 1654",
		"object network ccl#link",
		"range 10.1.90.4 10.1.90.19",          //mandatory user input 
		"object-group network cluster#group",
		"network-object object ccl#link",
		"nve 1",
		"encapsulation vxlan",
		"source-interface ccl_link",
		"peer-group cluster#group",
		"cluster group ftdv-cluster",          //mandatory user input 
		"local-unit 1",
		"cluster-interface vni1 ip 10.1.1.1 255.255.255.0",
		"priority 1",
		"enable"
	]
}

For the cluster control link network object, specify only as many addresses as you need (up to 16). A larger range can affect performance.

Note

If you are copying and pasting the configuration given above, ensure that you remove //mandatory user input from the configuration.