Installing Cisco Virtual FTD on Proxmox VE 9

From OISecWiki

Cisco Virtual Firepower Threat Defense (FTDv) is a virtual version of Cisco's next-generation firewall. Proxmox Virtual Environment (VE) is an open-source virtualization platform based on KVM/QEMU, which allows for the deployment of FTDv, although it is not officially supported by Cisco.[1][2] This article provides a technical guide to installing FTDv on Proxmox VE, drawing from KVM deployment practices and community experiences.[3][4][5]

Prerequisites

Before starting, ensure the following:

  • Hardware Requirements:
    • Server-class CPU (Intel Sandy Bridge or later, minimum 8 cores on a single socket for optimal performance).
    • At least 8 GB RAM (recommended 16 GB or more depending on the performance tier, e.g., FTDv10 requires 8 vCPU/16 GB).
    • Minimum 50 GB disk space for the VM.
    • KVM support enabled: Verify with lsmod | grep kvm (should show kvm and kvm_intel/amd modules) and kvm-ok.[6]
  • Software Requirements:
    • Proxmox VE version 8.3 or later (supports enhanced features for importing qcow2 images).[7][8]
    • Download the FTDv KVM image (e.g., ftdv-kvm.qcow2) from the Cisco software download page (requires a valid Cisco account and service contract).[9][10]
    • At least 4 network interfaces: Management (vnic0), Diagnostic (vnic1), Outside (vnic2), Inside (vnic3). Management, diagnostic, and inside must be on the same subnet initially.[11]
    • Serial port: FTDv requires a serial port for proper console access and to resolve boot issues.[12]

Installation Steps

Follow these steps using the Proxmox web UI or CLI. Proxmox VE supports efficient disk imports without needing a placeholder disk.[13][14]

  • Upload the Image:
    • In the Proxmox GUI, navigate to a directory-based storage (e.g., local) under Content > Disk Images (if available) or transfer via SCP/CLI to /var/lib/vz/images/ or a suitable directory. For large files, CLI upload is recommended.[15][16]
  • Create a New VM:
    • In Proxmox UI: Go to "Create VM".
    • Set VM ID, Name (e.g., ftdv).
    • OS: Select "Linux" and version (e.g., 2.6+).
    • System: Use SeaBIOS.
    • Hard Disk: Do not create a hard disk (no placeholder needed).
    • CPU: 8 cores (type: host).
    • Memory: 16 GB.
    • Networks: Add at least 4 interfaces (e.g., virtio model):
      • NIC0 and NIC1: Management bridge (e.g., vmbr0).
      • NIC2: Outside bridge.
      • NIC3: Inside bridge (same as management initially).
    • Do not start the VM yet.
    • After completing the Create VM wizard, navigate to the VM's Hardware tab and add a Serial Port (serial0) for console access.[17][18][19]
  • Import the Disk:
    • CLI Method (Recommended):
      • Use: qm importdisk <VM_ID> <path_to_qcow2> <storage> --format qcow2 (e.g., qm importdisk 100 ftdv-kvm.qcow2 local-lvm). This imports directly without a placeholder.
      • In the GUI: Go to Hardware, select the Unused Disk, and Edit/Attach it as virtio0 (boot disk).[20][21]
    • GUI Method (If Applicable):
      • If the qcow2 is on a directory storage, add Hard Disk in Hardware, select the storage, and choose the existing qcow2 file if visible. Note: May require CLI for full compatibility.[22]
  • Configure Boot Order:
    • In VM Options > Boot Order: Set the imported disk as the first boot device.[23]
  • Start the VM:
    • Boot the VM and access the console (use xterm.js for serial console if needed).
    • Initial boot may take 7-15 minutes.[24]

Configuration

  • Initial Setup (Without Day 0):
    • Login: Username admin, Password Admin123.
    • Accept EULA.
    • Set new admin password.
    • Configure network: IPv4 manual/DHCP, gateway, DNS, hostname.
    • Choose management: Local (Device Manager) or Remote (Management Center).
    • Firewall mode: Routed (default) or Transparent.[25][26]
  • Access the GUI:
    • Use a browser to connect to the management IP (e.g., https://<management_ip>).
    • For local management, use Secure Firewall Device Manager.[27]
  • Troubleshooting:
    • If boot fails: Ensure 4+ interfaces, sufficient resources, correct interface ordering, serial port added, and verify import (use CLI if GUI issues).
    • Check logs: Run system generate-troubleshoot ALL on FTDv CLI.
    • Console issues: Use serial console (xterm.js) instead of noVNC.[28][29]

Notes

  • FTDv on Proxmox is community-supported; for production, use officially supported hypervisors like VMware or KVM on Ubuntu/CentOS.[30]
  • Direct qcow2 imports in Proxmox VE eliminate the need for placeholder disks, simplifying setup.[31]
  • For migration from other hypervisors: Deploy new instances and reconfigure HA if applicable.[32]
  • External link to Cisco Firepower on Wikipedia.

References

  1. https://community.cisco.com/t5/network-security/migrate-off-of-vmware-ftdv-to-proxmox-fmc-to-hyper-v/td-p/5214759
  2. https://www.cisco.com/c/en/us/support/security/firepower-ngfw-virtual/series.html
  3. https://www.youtube.com/watch?v=Etgm73PYHYc
  4. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-kvm-gsg.html
  5. https://www.youtube.com/watch?v=lXO1tdsNKks
  6. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-kvm-gsg.html
  7. https://forum.proxmox.com/threads/is-it-possible-to-run-cisco-firepower-virtual-using-proxmox.164115
  8. https://pve.proxmox.com/pve-docs/pve-admin-guide.html
  9. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-kvm-gsg.html
  10. https://www.cisco.com/c/en/us/support/security/firepower-ngfw-virtual/products-release-notes-list.html
  11. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-kvm-gsg.html
  12. https://forum.proxmox.com/threads/cisco-firepower-threat-defense-virtual-for-kvm-wont-boot.59167
  13. https://pve.proxmox.com/pve-docs/pve-admin-guide.html
  14. https://www.youtube.com/watch?v=lXO1tdsNKks
  15. https://www.youtube.com/watch?v=Etgm73PYHYc
  16. https://pve.proxmox.com/pve-docs/pve-admin-guide.html
  17. https://www.youtube.com/watch?v=Etgm73PYHYc
  18. https://forum.proxmox.com/threads/cisco-firepower-threat-defense-virtual-for-kvm-wont-boot.59167
  19. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-kvm-gsg.html
  20. https://www.youtube.com/watch?v=lXO1tdsNKks
  21. https://www.thomas-krenn.com/en/wiki/QCOW2_Image_-_Import_in_Proxmox_VE
  22. https://forum.proxmox.com/threads/import-of-qcow2-images-to-proxmox.130562
  23. https://www.youtube.com/watch?v=lXO1tdsNKks
  24. https://www.youtube.com/watch?v=Etgm73PYHYc
  25. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-kvm-gsg.html
  26. https://www.youtube.com/watch?v=O_i6HR6k0Vc
  27. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/consolidated_ftdv_gsg/ftdv-gsg/m-ftdv-kvm-gsg.html
  28. https://forum.proxmox.com/threads/cisco-firepower-threat-defense-virtual-for-kvm-wont-boot.59167
  29. https://community.cisco.com/t5/network-security/migrate-off-of-vmware-ftdv-to-proxmox-fmc-to-hyper-v/td-p/5214759
  30. https://community.cisco.com/t5/network-security/migrate-off-of-vmware-ftdv-to-proxmox-fmc-to-hyper-v/td-p/5214759
  31. https://www.youtube.com/watch?v=lXO1tdsNKks
  32. https://community.cisco.com/t5/network-security/migrate-off-of-vmware-ftdv-to-proxmox-fmc-to-hyper-v/td-p/5214759
Retrieved from "https://wiki.oisec.net/mediawiki/index.php?title=Installing_Cisco_Virtual_FTD_on_Proxmox_VE_9&oldid=667"