Deploy a Threat Defense Device with AWS

Use the following procedure to onboard and preliminarily provision the firewall of a threat defense device that is associated with an AWS VPC to be managed by cloud-delivered Firewall Management Center.

Before you begin

Confirm the following prerequisites are fulfilled prior to generating a virtual threat defense and deploying to an AWS environment:

  • You must have the cloud-delivered Firewall Management Center feature enabled and associated with your tenant.


Step 1

Log in to CDO.

Step 2

In the navigation pane, click Inventory and click the blue plus button.

Step 3

Select the FTD tile.

Step 4

Under Management Mode, be sure FTD is selected.

Step 5

Select Use AWS VPC as the onboarding method. If there is no AWS VPC already onboarded, you can click the provided link from this step and onboard the virtual environment.

Step 6

Select the availability zone from the drop-down menu. Select the zone where the cloud threat defense is located, and not where your local computer is located.

Step 7

Select the management interface subnet with either of the following options:

  • Use existing subnets - Expand the drop-down menus and select the appropriate subnets for the management interface, inside interface, and outside interface subnets.

  • Create new subnets - Add a set of subnet interfaces for the device to use once onboarded. Cisco Defense Orchestrator automatically creates these subnets and applies them to the AWS VPC as part of the onboarding procedure.

Note that the diagnostic interface will use the same interface as the management interface.

Step 8

Click Select to assign the subnets. Click Next.

Step 9

Enter the device name in the Device Name field and click Next.

Step 10

In the Policy Assignment step, use the drop-down menu to select an access control policy to deploy once the device is onboarded. If you have no policies configured, select the Default Access Control Policy.

Step 11

Select the Subscription Licenses you want applied to the device. You must have at least the URL license selected for virtual threat defense devices.

What to do next

It may take a few minutes for the device to appear in CDO's Inventory page as it cannot synchronize until CDO has successfully deployed the cloud formation, initliaized the device connections, and established communication with both the virtual device and the AWS VPC environment.

If necessary, you can modfiy the virtual threat defense device performance tier selection after onboarding through the cloud-delivered Firewall Management Center UI.