Deploy a Threat Defense Device on Google Cloud Platform

Before you begin

When you perform this procedure, Cisco Defense Orchestrator creates the threat defense virtual as part of the onboarding wizard. You cannot use this procedure with physical threat defense device or a device that is already onboarded to CDO.

The following prerequisites must be met prior to onboarding a threat defense that is currently associated with a Google Cloud Platform (GCP) environment:

You must have cloud-delivered Firewall Management Center enabled for your tenant.
You must have a GCP account and already have a project created. See GCP documentation for more information.
Management interfaces (2) — One used to connect the threat defense virtual to the management center, second used for diagnostics; cannot be used for through traffic.

Traffic interfaces (2) — Used to connect the threat defense virtual to inside hosts and to the public network. See Create VPC Networks for GCP for more information.
You must enable all of the following permissions in the GCP environment in order to successully communicate with and onboard to CDO:
```
deploymentmanager.deployments.create
deploymentmanager.deployments.get
compute.networks.list
```

Procedure

Step 1	Log in to CDO.
Step 2	In the navigation pane, click Inventory and click the blue plus button (+) to add a new device.
Step 3	Select the FTD tile.
Step 4	Under Management Mode, select FTD.
Step 5	Select Use GCP VPC as the onboarding method.
Step 6	IF you have not authenticated your GCP environment with CDO before this point, copy the bash command that CDO generates and run it on your bash environment or on the Google Cloud Shell to authenticate your GCP account and allow communication between the applications. IF you have already authenticated your GCP account prior, ignore the account integration steps and click Next.
Step 7	Use the drop-down menu to select the GCP project you want to associate with the device you are going to onboard. If there are no projects immeidately available, click + Link New Project. If you click + Link New Project, follow these steps: Enter the GCP project ID when prompted. Locate this value in the GCP UI. To locate the project ID, see GCP documentation. Upload Credentials File. Click Browse and navigate to where the the .JSON file generated from the script in Step 1 of the onboarding wizard is locally stored. Select it and click Save.
Step 8	Click Next.
Step 9	Use the drop-down menus to select the following paramters and click Next: Inside VPC Inside Sub Network Outside VPC Outside Sub Network Management VPC Management Sub Network Diagnostic Network Diagnostic Sub Network
Step 10	Enter a name for the threat defense device in the Device Name field and click Next.
Step 11	In the Policy Assignment step, use the drop-down menu to select an access control policy to deploy once the device is onboarded. If you have no policies configured in the cloud-delivered Firewall Management Center associated with your CDO tenant, select the Default Access Control Policy.
Step 12	Select the Subscription Licenses you want applied to the device. You must have at least the URL license selected for virtual threat defense devices.
Step 13	Click Complete Onboarding.

What to do next

Navigate to the Inventory page to view the progress of the device registration there. Once the device is synchronized, we strongly recommend cross-launching to cloud-delivered Firewall Management Center and customize your access control policy and device status.