Clustering lets you group multiple threat defense virtuals together as a single logical device. A cluster provides
all the convenience of a single device (management, integration into a network) while achieving the increased
throughput and redundancy of multiple devices. You can deploy threat defense virtual clusters in a public
cloud using Amazon Web Services (AWS) or Google Cloud Platform (GCP) or AZURE. Only routed firewall mode is
supported.
NOTE: From version 7.4.1 onwards, users can deploy FTDv-cluster without the Diagnostic interface (Outside, Inside, Management, CCL).
To do so, ensure that the "withDiagnostic" variable is set to False in both the infrastructure.yaml file and the respective deploy_ngfw_cluster.yaml files (either north-south/deploy_ngfw_cluster.yaml or east-west/deploy_ngfw_cluster.yaml).
Deployment can be run on any macOS/Linux/Windows machine with Google SDK installed OR using google cloud shell.
Step-1: Edit "infrastructure.yaml" , "cluster_function_infra.yaml" and "north-south/deploy_ngfw_cluster.yaml" or "east-west/deploy_ngfw_cluster.yaml" as applicable for resourceNamePrefix and provide required user inputs.
e.g: resourceNamePrefix = ngfwvcls
Step-2: Create Bucket with name "ngfwvcls-ftdv-cluster-bucket" for uploading google function src archieve "ftdv_cluster_function.zip" file
a) Create Bucket using below CLI on Google Cloud Shell:
'gsutil mb --pap enforced gs://ngfwvcls-ftdv-cluster-bucket/'
b) Create zip using below CLI for macOS/Linux user:
'zip -j ftdv_cluster_function.zip ./cluster-function/*'
Note: if bucket name is different then edit cluster_function_infra.yaml in pre-deployment step.
c) Upload google function src archieve to bucket using below CLI on Google Cloud Shell:
'gsutil cp ftdv_cluster_function.zip gs://ngfwvcls-ftdv-cluster-bucket'
Note: if src archieve name is different then edit cluster_function_infra.yaml in pre-deployment step.
Step-3:
To deploy without the Diagnostic network interface, ensure that the "withDiagnostic" variable is set to False in the infrastructure.yaml file.
Deploy infrastructure for FTDv cluster using below CLI on Google Cloud Shell:
'gcloud deployment-manager deployments create <name> --config infrastructure.yaml'
Step-4:
a) Launch and setup FMCv with FTDv management vpc if working with private IP
b) Create vpcConnector for Cloud Functions with FTDv management vpc, use it in step-5:
'gcloud compute networks vpc-access connectors create <name> --region us-central1 --subnet ngfwvcls-ftdv-mgmt-subnet28'
Note: vpcConnector Name will be used in cluster_function_infra.yaml as an input for vpcConnectorName.
Step-5:
Make sure to set "deployWithExternalIP" as True in cluster_function_infra.yaml if FTDv require external IP. Deploy FTDv cluster google function using below CLI on Google Cloud Shell:
'gcloud deployment-manager deployments create <name> --config cluster_function_infra.yaml'
Step-6:
To deploy without the Diagnostic network interface, ensure that the "withDiagnostic" variable is set to False in the deploy_ngfw_cluster.yaml file.
Make sure to set variable "deployUsingExternalIP" as 1 in deploy_ngfw_cluster.yaml if FTDv require external IP.
Deploy FTDv cluster using below CLI on Google Cloud Shell:
a) For North-South topology deployment
'gcloud deployment-manager deployments create <name> --config north-south/deploy_ngfw_cluster.yaml'
b) For East-West topology deployment
'gcloud deployment-manager deployments create <name> --config east-west/deploy_ngfw_cluster.yaml'