If you have a route based Site to Site VPN to On-Premise from the FTDs, How do one handle routing to ensure the FTD that pass the traffic to on-premise is the one that will receive it back from on-premise
Anubhav, amazing tutorial. How can I modify the ARM template to use 7.2 so I can manage via FMC CDO, I'm new at implement workloads in Azure but your current template worked perfectly, just 6.4. Also I noticed that you didn't apply NSG's to a resource, did I miss anything.
@@AnubhavSwami I was able to attached vFMC to management subnet and upgrade device to 7.2, I will use the new ARM templates next time. For someone who hasn't done this before you made it sooooooo easy.
Great video! How would you configure multiple services with different public ip's behind the FTD firewalls? More public ip addresses on the elb? And different Nat rules?
@@AnubhavSwami sorry i am not clear on this. taking your example you showed, where exactly the PIPS will be configured on ELB? and then how to do nat where? please elaborate Thanks
With the new cisco firewall azure marketplace deployment, you get to choose bring your own license, does your template install that choice? It should be noted that as of June 30, 2022, both the us commercial and us gov azure dashboards will not let you install cisco firewall if your subnet has IP6.
I am confused about the External FW side to External LB. you set the GW to .82.2.1 on the FW's so are you using a UDR ? Wouldn't you point the external GW of the FW's to the Private IP on the External LB ?
In the use-case outbound traffic is routed via Azure native fabric --> Internet. This traffic is not routed to Public Cloud Balancer because ELB/PLB can only handle outbound traffic for traffic for which there is a load balancing rule. Any port not defined in the PLB/ELB traffic will be dropped directly.
It looks like you have made some major changes to the template since producing the video. I'm running into issues with the fact that the current version is using blob storage for the osdisk which doesn't work with an availability set configured to be aligned/use managed disks which is what you showed in the demo. I'm pretty sure I could get things to work with blob storage but it largely defeats the purpose of building the availability set as the storage becomes a single point of failure. I've tried modifying the template but no luck so far.
Can this configuration be replicated for ASAvs? I am having issues cofiguring NAT from management to outside and inside with static routes on ASAv to make Azure ELB/ILB health probes work
Unfortunately configuration cannot be replicated, you need apply similar configuration on the ASAs separately. You can also use traffic port as your probe port that will avoid adding additional nat configuration.
You did such a great job on this video, thanks for your support
Thank you!
great video! Awesome work sharing this. Thanks!
Thank you Martin!
If you have a route based Site to Site VPN to On-Premise from the FTDs, How do one handle routing to ensure the FTD that pass the traffic to on-premise is the one that will receive it back from on-premise
Anubhav, amazing tutorial. How can I modify the ARM template to use 7.2 so I can manage via FMC CDO, I'm new at implement workloads in Azure but your current template worked perfectly, just 6.4. Also I noticed that you didn't apply NSG's to a resource, did I miss anything.
Hi Steve, please check this link: github.com/CiscoDevNet/secure-firewall/tree/main/FTD/Azure
we have updated ARM and Terraform templates!
@@AnubhavSwami I was able to attached vFMC to management subnet and upgrade device to 7.2, I will use the new ARM templates next time. For someone who hasn't done this before you made it sooooooo easy.
Hey nice explanation Anubhav !
Thanks Arpit
Great video! How would you configure multiple services with different public ip's behind the FTD firewalls? More public ip addresses on the elb? And different Nat rules?
You can add multiple IPs on external interface and create 1 to 1 mapping on the firewall.
@@AnubhavSwami sorry i am not clear on this. taking your example you showed, where exactly the PIPS will be configured on ELB? and then how to do nat where? please elaborate Thanks
With the new cisco firewall azure marketplace deployment, you get to choose bring your own license, does your template install that choice?
It should be noted that as of June 30, 2022, both the us commercial and us gov azure dashboards will not let you install cisco firewall if your subnet has IP6.
Pleae check this link: github.com/CiscoDevNet/secure-firewall/tree/main/ASA/Azure/ARM%20Template/Deployment
thank you
@@AnubhavSwami
@@markrawson1435 You are welcome!
I am confused about the External FW side to External LB. you set the GW to .82.2.1 on the FW's so are you using a UDR ? Wouldn't you point the external GW of the FW's to the Private IP on the External LB ?
In the use-case outbound traffic is routed via Azure native fabric --> Internet. This traffic is not routed to Public Cloud Balancer because ELB/PLB can only handle outbound traffic for traffic for which there is a load balancing rule. Any port not defined in the PLB/ELB traffic will be dropped directly.
@@AnubhavSwami ….thank you for the explanation….
It looks like you have made some major changes to the template since producing the video. I'm running into issues with the fact that the current version is using blob storage for the osdisk which doesn't work with an availability set configured to be aligned/use managed disks which is what you showed in the demo. I'm pretty sure I could get things to work with blob storage but it largely defeats the purpose of building the availability set as the storage becomes a single point of failure. I've tried modifying the template but no luck so far.
You just need to create the available set as not managed disk.
Great video! Is it possible to configure site-to-site IPsec tunnel between Azure FTDv and on-prem instead of using Azure virtual gateway?
Yes, you can configure it
@@AnubhavSwami Thanks Anubhav
@@AnubhavSwami Is there any how to configure Azure FTD to On-prem FTD IPsec video?
Hi Anubhav, i also need the ARM template for FW deployment, can you please share it
Template is available here
github.com/cisco-security/public-cloud/tree/master/ngfwv-in-azure
Can this configuration be replicated for ASAvs? I am having issues cofiguring NAT from management to outside and inside with static routes on ASAv to make Azure ELB/ILB health probes work
Unfortunately configuration cannot be replicated, you need apply similar configuration on the ASAs separately. You can also use traffic port as your probe port that will avoid adding additional nat configuration.
For the inbound from on-prem to cloud, do we need to setup udr at gateway subnet? I have similar setup, it's not working.
Could you please tell me what is not working? it should work.
I did not see it but did you share the ARM templates somewhere? Thank you, Rick
Hello Richard, I am in the process of uploading the same on Github, if you leave your email address here. I will send it to you.
Please find template here: github.com/cisco-security/public-cloud/tree/master/ngfwv-in-azure
Do you need a UDR for your public subnet (gi2) for traffic coming from inside to Internet?
or should we have another public IP address assigned to interface in Azure?