Fun in the Lab: FTDv & FMC – Install and Deploy

This is my Stealthwatch playground…. errrr… I mean … ahem… “work environment” for a Technical Solution Workshop I am working on for Stealthwatch.

Going to set up FTDv and FMC today.  A co-worker and friend, Scott Barasch, helped me get jump started… so figure I’ll pass on what I just learned to you. 🙂

What this blog will cover is

  1. DEPLOY
    1. Deploying the OVF for FTDv
    2. Deploying the OVF for FMC
  2. VMware settings
    1. Tweak for FTDv
    2. Tweak for FMC
  3. Prepping to Power On
    1. Snapshot Both Before Power On
    2. Power Both On
  4. Setup via Console

    1. FMC – console in and setup IP address
    2. FTDv – console in and step thru the prompts
  5. Test IP Connectivity
    1. Ping FMC and FTDv from the PC
    2. Notice Can’t ping FTDv
    3. Fix
    4. Ping
  6. Browse into FMC
    1. Change password
    2. Setup DNS
    3. Setup NTP
    4. Accept EULA
    5. Apply
  7. LICENSING
    1. License FMC
  8. FMC/FTDv: Make the Connection

    1. FTDv – Point FTDv to FMC
    2. FMC – bring the FTDv into the fold.  🙂

FTDv FMC in UCS

So let’s begin.  What I have to host my FMC & FTDv VMs is a UCS M4 with a NIC connected to a Cat4948 in vlan 1.  That NIC is tied to vSwitch0 in the UCS.   That Cat4948 also connects out to a router in the dCloud environment.  Up in that dCloud environment I also have a VM of a windows PC that is on the same vlan 1 subnet.  I’ll be using that PC as a jumphost.


1) Deploy

install FTDv and FMC

Deploying my FMC and my FTDv were pretty much identical.  Went to deploy ovf and clicked browse as I already had the vmdk and the ovf I wanting locally on that laptop. Then it is pretty much just like deploying any other VM.  🙂


2) Settings

I DO like to tweak settings.  I also like to pick nice “safe” numbers for my environment if I believe the environment will be up for a little while.  This environment should be up for awhile so I’m going to kick up the CPU to 8 CPU with 8 cores per socket for both the FMC and the FTDv.

For the FMC I’m going to let the memory reservation stay the way the VM came – 0 for the reservation and unlimited for the limit.

FMC virtual hardware settings

For the FTDv you will notice that for the memory the reservation and the limit are the same value – 8192.  This was the value it came as.  And I was told to go ahead and leave it like that for what I’m doing.  AND that it was important that the 2 numbers match (reservation = limit).  I’m not going to explain all the varying reasons why.  Teehee… cause I’m not exactly sure I followed them all.

You will also notice that for the FTDv I disconnected all the NICs except for the one I will be using for OOB mgt.

FTDv virtual hardware settings


3) Prepping to Power On

I have been burned a few times with VMs that are newer to me.  🙂  So now once I have them prepped and ready to go…. 🙂  I snapshot them.    There have been a number of times … while learning something new… i have completely messed it all up and I can’t remember all the changes I made.  🙂

So prior to first power on – I take a snapshot. THEN power on.  🙂


4) Setup via Console

When you first start up the VMs you will notice a message on both if you go into the console early on after powering the VM on.  Looks like this

What should you do while waiting?  Personally I suggest getting a nice little cardio workout in.

When the VMs are ready… it is really your choice as to which to start with.  I used to start with the FTDv and then the FMC.  But now I tend to do the FMC first.  So we will just do that.

The FMC is pretty straight forward.  Basically you are going to login (default username: admin, password: Admin123) and you are going to sudo into root and change the IP address.

fmc login

fmc config

For now we will say no to the “Do you wish to configure IPv6”

So that is about it for FMC IP setup.  The FTDv has actual prompts to step you thru.  Ready?

Next…. the FTDv.  Login is the same – admin/Admin123

FTDv login

Now the prompts begin.  🙂

First it is going to prompt you to accept the EULA.  🙂  It goes on for a while so I’ll let you experience that on your own without me showing it all to you here.

After you accept the EULA you will be prompted to change the password for admin, set up your IP addressing, etc etc. It’s pretty super easy to follow.

FTDV config

There will be a pause and just be patient and wait.  🙂  Trust me.  There have been a number of times I did NOT wait and I just did the typical impatient hitting <enter> thing.  If you do you are going to end up saying “yes” to the “Manage the device locally question”.

For me I WANT the FMC to manage the device.  So I will answer “no” as we see below.  Also I want the firewall mode to be routed.

Okay… so ready to try to connect the FMC and the FTDv?   First let’s check IP connectivity and try to ping both.


5) Test IP Connectivity

From that windows VM up in the Cisco dCloud environment that is on the same vlan 1 subnet (198.18.1.0/24) let’s ping both the FMC and the FTDv.

Well that doesn’t look good for the FTDv.  🙁

ping FTDv fails

The truth, of course, is that I know what the issue is.   I have been burned by this one before.  🙂  And Scott was kind enough in the past to help me the first time.   We need to change the promiscuous mode on the vSwitch to “accept” from the default “reject”.  I’ll be doing this on all the vSwitches that the FTDv VM is on – the sensing interfaces as well as the management interfaces.  Let me show you how.

First… go edit the vSwitch.

FTDv ping fails so edit virtual switch to fix

Select “Security” and swap the default “Reject” on “promiscuous mode” to “Accept”

FTDv ping fails, accept promiscuous to fix

And now?  Yup… we can ping the FTDv.

FTDv successful ping


6) Browse into FMC

Browse FMC

It is officially time to browse into the FMC via https.  Since we have not yet been prompted for the default admin password to change yet… we will be logging in with the default username: admin, password: Admin123

As soon as we get in we will be prompted to change the admin password as well as to update a few other fields. We will split the page that is displayed into 2 pages here.

The first part of the page will be

  • Change the password for username “admin”
  • Network Settings
  • Time Settings

Scrolling down you will see a bunch of things I’ll be leaving as the default right now.

  • Recurring Rule Update Imports
  • Recurring Geolocation Updates
  • Automatic Backups
  • License Settings

I’ll be doing the License in the next step anyway.

So basically I’ll just be checking the checkbox on the EULA saying I have “read and agree” to the End User License Agreement.. and then clicking apply.


7) LICENSING

Time for licensing!

Basically I went to “System” (upper right to the left of “Help”) and then went to licensing and smart license.  Got my license and tossed it in there.  Woot!  Registered!


8) FMC/FTDv: Make the Connection

And now to “Make the Connection” between the FMC and the FTDv.

Let’s go back to the console port of the FTDv.  Last we left the FTDv console (step 4 above) we had just just set the firewall mode to routed.

If you had left the FTDv console open for a little while longer you would have ended seeing what it was telling you to do next.  Which is to configure in the FTDv who the manager will be (the IP address of the FMC) as well as to put in a registration key.  This key will need to match what we put in the FMC later when we add the FTDv device.

configure manager add

The FMC IP address is 198.18.1.110 and we will use cisco123 as our registration key.

configure manager add

Okay… so that is the FTDv sorted.  Now let’s go into the FMC.

So choose Device Management on the top tab.  Then go over to the right and click Add and select Device from the drop down.

add device in FMC

You will get a window pop up.  Point to the IP address of the host… i usually just keep the name as the IP address as you notice.  Now enter that cisco123 registration key you typed in on the CLI of the FTDv.

Group I just leave as none.  It IS interesting that you must assign as Access Control Policy.  To be honest I have never asked anyone why.  I just have created one and then changed it later.

What you select under Smart Licensing I would assume is related to what you are licensed for.  I’m licensed for all 3 so I click all 3 and then click Register.

After a few little messages giving you status as to what all is going on….

VOILA!  We have the FTDv added to the FMC!


Woot!  Done!

Want more?  Next blog in the FTDv series is about setting up the IP addressing on the FTDv and the routing for below.

Setting Up Addressing and Routing: FTDv Fun



Categories: Security

Tags: , , , , , , , , , , ,

Leave a Reply