The Cisco Firepower Threat Defense Virtual (FTDv) brings Cisco's Firepower Next-Generation Firewall functionality to virtualized environments, enabling consistent security policies to follow workloads across your physical, virtual, and cloud environments, and between clouds.
This chapter describes how the Firepower Threat Defense Virtual functions within a VMware ESXi environment, including feature support, system requirements, guidelines, and limitations. This chapter also describes your options for managing the FTDv.
It's important that you understand your management options before you begin your deployment. You can manage and monitor the FTDv using the Firepower Management Center or the Firepower Device Manager. Other management options may be available.
About Firepower Threat Defense Virtual and VMware
Cisco packages 64-bit Firepower Threat Defense Virtual (FTDv) devices for VMware vSphere vCenter and ESXi hosting environments. The FTDv is distributed in an Open Virtualization Format (OVF) package available from Cisco.com. OVF is an open-source standard for packaging and distributing software applications for virtual machines (VM). An OVF package contains multiple files in a single directory.
You can deploy the FTDv to any x86 device that is capable of running VMware ESXi. In order to deploy the FTDv you should be familiar with VMware and vSphere, including vSphere networking, ESXi host setup and configuration, and virtual machine guest deployment.
VMware Feature Support for the Firepower Threat Defense Virtual
The following table lists the VMware feature support for the Firepower Threat Defense Virtual.
| Feature | Description | Support (Yes/No) | Comment |
|---|---|---|---|
| Cold Clone | The VM is powered off during cloning. | No | ¯ |
| vMotion | Used for live migration of VMs. | Yes | Use shared storage. See vMotion Support. |
| Hot add | The VM is running during an addition. | No | ¯ |
| Hot clone | The VM is running during cloning. | No | ¯ |
| Hot removal | The VM is running during removal. | No | ¯ |
| Snapshot | The VM freezes for a few seconds. | No | Risk of out-of-sync situations between the FMC and managed devices. |
| Suspend and resume | The VM is suspended, then resumed. | Yes | ¯ |
| vCloud Director | Allows automatic deployment of VMs. | No | ¯ |
| VMware FT | Used for HA on VMs. | No | Use the Firepower failover feature for Firepower Threat Defense Virtual VM failovers. |
| VMware HA with VM heartbeats | Used for VM failures. | No | Use the Firepower failover feature for Firepower Threat Defense Virtual VM failovers. |
| VMware vSphere Standalone Windows Client | Used to deploy VMs. | Yes | ¯ |
| VMware vSphere Web Client | Used to deploy VMs. | Yes | ¯ |
How to Manage Your Firepower Device
You have two options to manage your Firepower Threat Defense device.
Firepower Device Manager
The Firepower Device Manager (FDM) onboard integrated manager.
FDM is a web-based configuration interface included on some Firepower Threat Defense devices. FDM lets you configure the basic features of the software that are most commonly used for small networks. It is especially designed for networks that include a single device or just a few, where you do not want to use a high-powered multiple-device manager to control a large network containing many Firepower Threat Defense devices.
![Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide - Getting Started with Firepower Threat Defense Virtual and VMware [Cisco Firepower NGFW Virtual] (1)](https://cdn.statically.io/img/www.cisco.com/f=auto//content/dam/en/us/td/i/templates/note.gif "Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide - Getting Started with Firepower Threat Defense Virtual and VMware [Cisco Firepower NGFW Virtual] (1)") Note | See the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for list of Firepower Threat Defense devices that support FDM. |
Firepower Management Center
The Cisco Firepower Management Center (FMC).
If you are managing large numbers of devices, or if you want to use the more complex features and configurations that Firepower Threat Defense allows, use the FMC to configure your devices instead of the integrated FDM.
Important | You cannot use both the FDM and FMC to manage a Firepower device. Once the FDM integrated management is enabled, it won't be possible to use an FMC to manage the Firepower device, unless you disable the local management and re-configure the management to use an FMC. On the other hand, when you register the Firepower device to an FMC, the FDM onboard management service is disabled. |
![Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide - Getting Started with Firepower Threat Defense Virtual and VMware [Cisco Firepower NGFW Virtual] (3)](https://cdn.statically.io/img/www.cisco.com/f=auto//content/dam/en/us/td/i/templates/caut.gif "Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide - Getting Started with Firepower Threat Defense Virtual and VMware [Cisco Firepower NGFW Virtual] (3)") Caution | Right now Cisco does not have an option to migrate your FDM Firepower configuration to an FMC and vice-versa. Take this into consideration when you choose what type of management you configure for the Firepower device. |
System Requirements
See the Cisco Firepower Compatibility Guide for the most current information about hypervisor support for the Firepower Threat Defense Virtual.
The specific hardware used for FTDv deployments can vary, depending on the number of instances deployed and usage requirements. Each instance of the FTDv requires a minimum resource allocation—number of memory, CPUs, and disk space—on the server.
Systems running VMware vCenter Server and ESXi instances must meet specific hardware and operating system requirements. For a list of supported platforms, see the VMware online Compatibility Guide.
| Settings | Value | ||
|---|---|---|---|
| Performance Tiers | Version 7.0 and later The FTDv supports performance-tiered licensing that provides different throughput levels and VPN connection limits based on deployment requirements.
See the "Licensing the Firepower System" chapter in the Firepower Management Center Configuration for guidelines when licensing your FTDv device.
| ||
| Number of cores and memory | Version 6.4 to Version 6.7 The FTDv deploys with adjustable vCPU and memory resources. There are three supported vCPU/memory pair values:
| ||
| Version 6.3 and earlier The FTDv deploys with fixed vCPU and memory resources. There is only one supported vCPU/memory pair value:
| |||
| Storage | Based on Disk Format selection.
| ||
| vNICs | The FTDv supports the following virtual network adapters:
|
Support for Virtualization Technology
-
Virtualization Technology (VT) is a set of enhancements to newer processors that improves performance for running virtual machines. Your system should have CPUs that support either Intel VT or AMD-V extensions for hardware virtualization. Both Intel and AMD provide online processor identification utilities to help you identify CPUs and determine their capabilities.
-
Many servers that include CPUs with VT support might have VT disabled by default, so you must enable VT manually. You should consult your manufacturer's documentation for instructions on how to enable VT support on your system.
![Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide - Getting Started with Firepower Threat Defense Virtual and VMware [Cisco Firepower NGFW Virtual] (4)](data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== "Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide - Getting Started with Firepower Threat Defense Virtual and VMware [Cisco Firepower NGFW Virtual] (4)")
NoteIf your CPUs support VT, but you do not see this option in the BIOS, contact your vendor to request a BIOS version that lets you enable VT support.
Disable Hyperthreading
We recommend that you disable hyperthreading for your systems that run the FTDv; see Hyperthreading Not Recommended. The following processors support hyperthreading and have two threads per core:
-
Processors based on the Intel Xeon 5500 processor microarchitecture.
-
Intel Pentium 4 (HT-enabled)
-
Intel Pentium EE 840 (HT-enabled)
To disable hyperthreading, you must first disable it in your system's BIOS settings and then turn it off in the vSphere Client (note that hyperthreading is enabled by default for vSphere). Consult your system documentation to determine whether your CPU supports hyperthreading.
Support for SR-IOV
SR-IOV Virtual Functions require specific system resources. A server that supports SR-IOV is required in addition to an SR-IOV capable PCIe adapter. You must be aware of the following hardware considerations:
-
The capabilities of SR-IOV NICs, including the number of VFs available, differ across vendors and devices. The following NICs are supported:
-
Not all PCIe slots support SR-IOV.
-
SR-IOV-capable PCIe slots may have different capabilities.
-
x86_64 multicore CPU — Intel Sandy Bridge or later (Recommended).
NoteWe tested the FTDv on Intel's Broadwell CPU (E5-2699-v4) at 2.3GHz.
-
Cores
-
Minimum of 8 physical cores per CPU socket.
-
Ensure that you assign all the allocated physical cores to a single socket.
NoteCPU pinning is recommended to achieve full throughput.
-
You should consult your manufacturer's documentation for SR-IOV support on your system. You can search the VMware online Compatibility Guide for system recommendations that include SR-IOV support.
Support for SSSE3
-
Firepower Threat Defense Virtual requires support for Supplemental Streaming SIMD Extensions 3 (SSSE3 or SSE3S), an single instruction, multiple data (SIMD) instruction set created by Intel.
-
Your system should have CPUs that support SSSE3, such as Intel Core 2 Duo, Intel Core i7/i5/i3, Intel Atom, AMD Bulldozer, AMD Bobcat, and later processors.
-
See this reference page for more information about the SSSE3 instruction set and CPUs that support SSSE3.
Verify CPU Support
You can use the Linux command line to get information about the CPU hardware. For example, the /proc/cpuinfo file contains details about individual CPU cores. Output its contents with less or cat.
You can look at the flags section for the following values:
-
vmx—Intel VT extensions
-
svm—AMD-V extensions
-
ssse3—SSSE3 extensions
Use grep to quickly see if any of these values exist in the file by running the following command:
egrep “vmx|svm|ssse3” /proc/cpuinfoIf your system supports VT or SSSE3, then you should see vmx, svm, or ssse3 in the list of flags. The following example shows output from a system with two CPUs:
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov patpse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc pni monitords_cpl vmx est tm2 ssse3 cx16 xtpr lahf_lmflags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov patpse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm syscall nx lm constant_tsc pni monitords_cpl vmx est tm2 ssse3 cx16 xtpr lahf_lmGuidelines, Limitations, and Known Issues for FTDv and VMware
Performance Tiers for FTDv Smart Licensing
The FTDv supports performance-tiered licensing that provides different throughput levels and VPN connection limits based on deployment requirements.
| Performance Tier | Device Specifications (Core/RAM) | Rate Limit | RA VPN Session Limit |
|---|---|---|---|
| FTDv5, 100Mbps | 4 core/8 GB | 100Mbps | 50 |
| FTDv10, 1Gbps | 4 core/8 GB | 1Gbps | 250 |
| FTDv20, 3Gbps | 4 core/8 GB | 3Gbps | 250 |
| FTDv30, 5Gbps | 8 core/16 GB | 5Gbps | 250 |
| FTDv50, 10Gbps | 12 core/24 GB | 10Gbps | 750 |
| FTDv100, 16Gbps | 16 core/32 GB | 16Gbps | 10,000 |
See the "Licensing the Firepower System" chapter in the Firepower Management Center Configuration for guidelines when licensing your FTDv device.
Management Mode
-
You have two options to manage your Firepower Threat Defense device:
-
The Firepower Device Manager (FDM) onboard integrated manager.
NoteThe FTDv on VMware supports Firepower Device Manager starting with Cisco Firepower software version 6.2.2 and later. Any FTDv on VMware running Firepower software earlier than version 6.2.2 can only be managed using the Firepower Management Center; see How to Manage Your Firepower Device
-
The Firepower Management Center (FMC)
-
-
You must install a new image (version 6.2.2 or greater) to get Firepower Device Manager support. You cannot upgrade an existing FTDv virtual machine from an older version (earlier than 6.2.2) and then switch to Firepower Device Manager.
-
Firepower Device Manager (local manager) is enabled by default.
NoteWhen you choose Yes for Enable Local Manager, the Firewall Mode is changed to routed. This is the only supported mode when using Firepower Device Manager.
OVF File Guidelines
Cisco_Firepower_Threat_Defense_Virtual-VI-X.X.X-xxx.ovfCisco_Firepower_Threat_Defense_Virtual-ESXi-X.X.X-xxx.ovfwhere X.X.X-xxx is the version and build number of the file you want to use.
-
If you deploy with a VI OVF template, the installation process allows you to perform the entire initial setup forFTDv appliance. You can specify:
-
A new password for the admin account.
-
Network settings that allow the appliance to communicate on your management network.
-
Management, either local management using Firepower Device Manager (default) or remote management using the Firepower Management Center.
-
Firewall Mode. When you choose Yes for Enable Local Manager, the Firewall Mode is changed to routed. This is the only supported mode when using Firepower Device Manager.
NoteYou must manage this virtual appliance using VMware vCenter.
-
-
If you deploy using an ESXi OVF template, you must configure Firepower System-required settings after installation. You manage this FTDv as a standalone appliance on ESXi; see Deploy the Firepower Threat Defense Virtual to a vSphere ESXi Host for more information.
Unable to Save Virtual Machine (VM) Configuration in vSphere 7.0.2
If you are using vSphere 7.0.2, you may not be allowed to save the VM configuration.
Note | You can resolve this issue by following the instructions in VMware knowledge base article: https://kb.vmware.com/s/article/83898. |
vMotion Support
We recommend that you only use shared storage if you plan to use vMotion. During deployment, if you have a host cluster you can either provision storage locally (on a specific host) or on a shared host. However, if you try to vMotion the Firepower Management Center Virtual to another host, using local storage will produce an error.
Hyperthreading Not Recommended
Hyperthreading technology allows a single physical processor core to behave like two logical processors. We recommend that you disable hyperthreading for your systems that run the FTDv. The Snort process already maximizes the processing resources in a CPU core. When you attempt to push two CPU utilization threads through each processor you do not receive any improvement in performance. You may actually see a decrease in performance because of the overhead required for the hyperthreading process.
INIT Respawning Error Messages Symptom
You may see the following error message on the FTDv console running on ESXi 6 and ESXi 6.5:
"INIT: Id "ftdv" respawning too fast: disabled for 5 minutes"Workaround—Edit the virtual machine settings in vSphere to add a serial port while the device is powered off.
-
Right-click the virtual machine and select Edit Settings.
-
On the Virtual Hardware tab, select Serial port from the New device drop-down menu, and click Add.
The serial port appears at the bottom of the virtual device list.
-
On the Virtual Hardware tab, expand Serial port, and select connection type Use physical serial port.
-
Uncheck the Connect at power on checkbox.
Click OK to save settings.
Exclude Virtual Machines from Firewall Protection
In a vSphere enviroment where the vCenter Server is integrated with VMware NSX Manager, a Distributed Firewall (DFW) runs in the kernel as a VIB package on all the ESXi host clusters that are prepared for NSX. Host preparation automatically activates DFW on the ESXi host clusters.
The FTDv uses promiscuous mode to operate, and the performance of virtual machines that require promiscuous mode may be adversely affected if these virtual machines are protected by a distributed firewall. VMware recommends that you exclude virtual machines that require promiscuous mode from distributed firewall protection.
-
Navigate to Exclusion List settings.
-
In NSX 6.4.1 and later, navigate to .
-
In NSX 6.4.0, navigate to .
-
-
Click Add.
-
Move the VMs that you want to exclude to Selected Objects.
-
Click OK.
If a virtual machine has multiple vNICs, all of them are excluded from protection. If you add vNICs to a virtual machine after it has been added to the Exclusion List, Firewall is automatically deployed on the newly added vNICs. To exclude the new vNICs from firewall protection, you must remove the virtual machine from the Exclusion List and then add it back to the Exclusion List. An alternative workaround is to power cycle (power off and then power on) the virtual machine, but the first option is less disruptive.
Modify the Security Policy Settings for a vSphere Standard Switch
For a vSphere standard switch, the three elements of the Layer 2 Security policy are promiscuous mode, MAC address changes, and forged transmits. Firepower Threat Defense Virtual uses promiscuous mode to operate, and Firepower Threat Defense Virtual high availability depends on switching the MAC address between the active and the standby to operate correctly.
The default settings will block correct operation of Firepower Threat Defense Virtual. See the following required settings:
| Option | Required Setting | Action |
|---|---|---|
| Promiscuous Mode | Accept | You must edit the security policy for a vSphere standard switch in the vSphere Web Client and set the Promiscuous mode option to Accept. Firewalls, port scanners, intrusion detection systems and so on, need to run in promiscuous mode. |
| MAC Address Changes | Accept | You should verify the security policy for a vSphere standard switch in the vSphere Web Client and confirm the MAC address changes option is set to Accept. |
| Forged Transmits | Accept | You should verify the security policy for a vSphere standard switch in the vSphere Web Client and confirm the Forged transmits option is set to Accept. |
Modify the Security Policy Settings for a vSphere Standard Switch
The default settings will block correct operation of FTDv.
Procedure
| Step1 | In the vSphere Web Client, navigate to the host. |
| Step2 | On the Manage tab, click Networking, and select Virtual switches. |
| Step3 | Select a standard switch from the list and click Edit settings. |
| Step4 | Select Security and view the current settings. |
| Step5 | Accept promiscuous mode activation, MAC address changes, and forged transmits in the guest operating system of the virtual machines attached to the standard switch. ![Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide - Getting Started with Firepower Threat Defense Virtual and VMware [Cisco Firepower NGFW Virtual] (11)](https://cdn.statically.io/img/www.cisco.com/f=auto//c/dam/en/us/td/i/400001-500000/410001-420000/413001-414000/413031.jpg "Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide - Getting Started with Firepower Threat Defense Virtual and VMware [Cisco Firepower NGFW Virtual] (11)") |
| Step6 | Click OK. |
What to do next
-
Ensure these settings are the same on all networks that are configured for management and failover (HA) interfaces on FTDv devices.
Plan the Interfaces
You can avoid reboots and configuration issues by planning the Firepower Threat Defense Virtual vNIC and interface mapping in advance of deployment. The FTDv deploys with 10 interfaces, and must be powered up at firstboot with at least 4 interfaces.
The FTDv supports the vmxnet3 (default), ixgbe, and e1000 virtual network adapters. In addition, with a properly configured system, FTDv also supports the ixgbe-vf driver for SR-IOV; see System Requirements for more information.
Important | FTDv on VMware now defaults to vmxnet3 interfaces when you create a virtual device. Previously, the default was e1000. If you are using e1000 interfaces, we strongly recommend you switch. The vmxnet3 device drivers and network processing are integrated with the ESXi hypervisor, so they use fewer resources and offer better network performance. |
Interface Guidelines and Limitations
The following sections provide guidelines and limitations for the supported virtual network adapters used with FTDv on VMware. It’s important to keep these guidelines in mind when planning your deployment.
General Guidelines
-
As previously stated, the FTDv deploys with 10 interfaces, and must be powered up at firstboot with at least 4 interfaces. You need to assign a network to AT LEAST FOUR INTERFACES.
-
You do not need to use all 10 FTDv interfaces; for interfaces you do not intend to use, you can simply leave the interface disabled within the FTDv configuration.
-
Keep in mind that you cannot add more virtual interfaces to the virtual machine after deployment. If you delete some interfaces and then decide you want more, you’ll have to delete the virtual machine and start over.
-
In 6.7 and later, you can optionally configure a data interface for FMC management instead of the Management interface. The Management interface is a pre-requisite for data interface management, so you still need to configure it in your initial setup. Note that FMC access from a data interface is not supported in High Availability deployments. For more information about configuring a data interface for FMC access, see the configure network management-data-interface command in the FTD command reference.
Default VMXNET3 Interfaces
Important | FTDv on VMware now defaults to vmxnet3 interfaces when you create a virtual device. Previously, the default was e1000. If you are using e1000 interfaces, we strongly recommend you switch. The vmxnet3 device drivers and network processing are integrated with the ESXi hypervisor, so they use fewer resources and offer better network performance. |
-
The vmxnet3 driver uses two management interfaces. The first two Ethernet adapters must be configured as management interfaces; one for device management/registration, one for diagnostics.
-
For vmxnet3, Cisco recommends using a host managed by VMware vCenter when using more than four vmxnet3 network interfaces. When deployed on standalone ESXi, additional network interfaces are not added to the virtual machine with sequential PCI bus addresses. When the host is managed with a VMware vCenter, the correct order can be obtained from the XML in the configuration CDROM. When the host is running standalone ESXi, the only way to determine the order of the network interfaces is to manually compare the MAC addresses seen on the FTDv to the MAC addresses seen from the VMware configuration tool.
The following table describes the concordance of Network Adapter, Source Networks and Destination Networks for FTDv for vmxnet3 and ixgbe interfaces.
| Network Adapter | Source Networks | Destination Networks | Function |
|---|---|---|---|
| Network adapter 1 | Management0-0 | Management0/0 | Management |
| Network adapter 2 | Diagnostic0-0 | Diagnostic0/0 | Diagnostic |
| Network adapter 3 | GigabitEthernet0-0 | GigabitEthernet0/0 | Outside data |
| Network adapter 4 | GigabitEthernet0-1 | GigabitEthernet0/1 | Inside date |
| Network adapter 5 | GigabitEthernet0-2 | GigabitEthernet0/2 | Data traffic (Optional) |
| Network adapter 6 | GigabitEthernet0-3 | GigabitEthernet0/3 | Data traffic (Optional) |
| Network adapter 7 | GigabitEthernet0-4 | GigabitEthernet0/4 | Data traffic (Optional) |
| Network adapter 8 | GigabitEthernet0-5 | GigabitEthernet0/5 | Data traffic (Optional) |
| Network adapter 9 | GigabitEthernet0-6 | GigabitEthernet0/6 | Data traffic (Optional) |
| Network adapter 10 | GigabitEthernet0-7 | GigabitEthernet0/7 | Data traffic (Optional) |
IXGBE Interfaces
-
(7.0 and earlier) The ixgbe driver uses two management interfaces. The first two PCI devices must be configured as management interfaces; one for device management/registration, one for diagnostics. For 7.1 and later, the diagnostic interface is not used.
-
For ixgbe, the ESXi platform requires the ixgbe NIC to support the ixgbe PCI device. In addition, the ESXi platform has specific BIOS and configuration requirements that are needed to support ixgbe PCI devices. Refer to the Intel Technical Brief for more information.
-
The only ixgbe traffic interface types supported are routed and ERSPAN passive. This is due to VMware limitations with respect to MAC address filtering.
-
The ixgbe driver does not support failover (HA) deployments of Firepower Threat Defense Virtual.
E1000 Interfaces
Important | FTDv on VMware now defaults to vmxnet3 interfaces when you create a virtual device. Previously, the default was e1000. If you are using e1000 interfaces, we strongly recommend you switch. The vmxnet3 device drivers and network processing are integrated with the ESXi hypervisor, so they use fewer resources and offer better network performance. |
-
(7.0 and earlier) The management interface (br1) for the e1000 driver is a bridged interface with two MAC addresses, one for management and one for diagnostics. For 7.1 and later, the diagnostic interface is not used.
-
If you are upgrading your FTDv to 6.4 and are using e1000 interfaces, you should replace the e1000 interfaces with either vmxnet3 or ixgbe interfaces for greater network throughput.
The following table describes the concordance of Network Adapter, Source Networks and Destination Networks for FTDv for the default e1000 interfaces.
| Network Adapter | Source Networks | Destination Networks | Function |
|---|---|---|---|
| Network adapter 1 | Management0-0 | (7.1 and later) Management0/0 (7.0 and earlier) Diagnostic0/0 | Management and (7.0 and earlier) diagnostic |
| Network adapter 2 | GigabitEthernet0-0 | GigabitEthernet0/0 | Outside data |
| Network adapter 3 | GigabitEthernet0-1 | GigabitEthernet0/1 | Inside date |
| Network adapter 4 | GigabitEthernet0-2 | GigabitEthernet0/2 | Data traffic (Required) |
| Network adapter 5 | GigabitEthernet0-3 | GigabitEthernet0/3 | Data traffic (Optional) |
| Network adapter 6 | GigabitEthernet0-4 | GigabitEthernet0/4 | Data traffic (Optional) |
| Network adapter 7 | GigabitEthernet0-5 | GigabitEthernet0/5 | Data traffic (Optional) |
| Network adapter 8 | GigabitEthernet0-6 | GigabitEthernet0/6 | Data traffic (Optional) |
| Network adapter 9 | GigabitEthernet0-7 | GigabitEthernet0/7 | Data traffic (Optional) |
| Network adapter 10 | GigabitEthernet0-8 | GigabitEthernet0/8 | Data traffic (Optional) |
Configure VMXNET3 Interfaces
Important | Starting with the 6.4 release, FTDv and FMCv on VMware default to vmxnet3 interfaces when you create a virtual device. Previously, the default was e1000. If you are using e1000 interfaces, we strongly recommend you switch. The vmxnet3 device drivers and network processing are integrated with the ESXi hypervisor, so they use fewer resources and offer better network performance. |
To change e1000 interfaces to vmxnet3, you must delete ALL interfaces and reinstall them with the vmxnet3 driver.
Although you can mix interfaces in your deployment (such as, e1000 interfaces on a virtual Firepower Management Center and vmxnet3 interfaces on its managed virtual device), you cannot mix interfaces on the same virtual appliance. All sensing and management interfaces on the virtual appliance must be of the same type.
Procedure
| Step1 | Power off the FTDv or FMCv Virtual Machine. To change the interfaces, you must power down the appliance. |
| Step2 | Right-click the FTDv or FMCv Virtual Machine in the inventory and select Edit Settings. |
| Step3 | Select the applicable network adapters and then select Remove. |
| Step4 | Click Add to open the Add Hardware Wizard. |
| Step5 | Select Ethernet adapter and click Next. |
| Step6 | Select the vmxnet3 adapter and then choose network label. |
| Step7 | Repeat for all interfaces on the FTDv. |
What to do next
-
Power on the FTDv or FMCv from the VMware console.
Adding Interfaces
You can have a total of 10 interfaces (1 management, 1 diagnostic, 8 data interfaces) when you deploy a FTDv device. For data interfaces, make sure that the Source Networks map to the correct Destination Networks, and that each data interface maps to a unique subnet or VLAN.
Caution | |
If you need more physical-interface equivalents for a FTDv device, you basically have to start over. You can either deploy a new virtual machine, or you can use the "Scan for Interface Changes, and Migrate an Interface" procedure in the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager.
![Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide - Getting Started with Firepower Threat Defense Virtual and VMware [Cisco Firepower NGFW Virtual] (2024)](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/h8AAvMB+NzmkbcAAAAASUVORK5CYII=)