DeploymentType |
String |
Deployment type that helps to process the traffic from threat defense
virtual to GWLB or the internet.
-
Single-arm: This deployment type enables the threat defense
virtual to return the inspected traffic to GLWB and then forward the traffic to the destination.
-
Dual-arm: This deployment type enables the threat defense
virtual to perform network address translation (NAT) and then forward the outbound traffic from its outside interface directly to
the internet through the NAT gateway.
Note
|
Availability Zone (AZ)-specific inside interface security-groups are now created by the template as opposed to common Security-Group
for inside interfaces in all availability zones.
|
|
PodNumber
|
String
Allowed Pattern: '^\d{1,3}$'
|
This is the pod number. This will be suffixed to the Auto Scale Group name (threat defense
virtual-Group-Name). For example, if this value is '1', then the group name will be threat defense
virtual-Group-Name-1.
It should be at least 1 numerical digit but not more than 3 digits. Default: 1
|
AutoscaleGrpNamePrefix
|
String
|
This is the Auto Scale Group Name Prefix. The pod number will be added as a suffix.
Maximum: 18 characters
Example: Cisco-threat defense
virtual-1
|
NotifyEmailID
|
String
|
Auto Scale events will be sent to this email address. You need to accept a subscription email request.
Example: admin@company.com
|
VpcId
|
String
|
The VPC ID in which the device needs to be deployed. This should be configured as per AWS requirements.
Type: AWS::EC2::VPC::Id
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
|
LambdaSubnets
|
List
|
The subnets where Lambda functions will be deployed.
Type: List<AWS::EC2::Subnet::Id>
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
|
LambdaSG
|
List
|
The Security Groups for Lambda functions.
Type: List<AWS::EC2::SecurityGroup::Id>
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
|
S3BktName
|
String
|
The S3 bucket name for files. This should be configured in your account as per AWS requirements.
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
|
LoadBalancerType
|
String
|
The type of Internet-facing Load Balancer, either “application” or “network”.
Example: application
|
LoadBalancerSG
|
String
|
The Security Groups for the Load Balancer. In the case of a network load balancer, it won't be used. But you should provide
a Security Group ID.
Type: List<AWS::EC2::SecurityGroup::Id>
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
|
LoadBalancerPort
|
Integer
|
The Load Balancer port. This port will be opened on LB with either HTTP/HTTPS or TCP/TLS as the protocol, based on the chosen
Load Balancer type.
Make sure the port is a valid TCP port, it will be used to create the Load Balancer listener.
Default: 80
|
SSLcertificate
|
String
|
The ARN for the SSL certificate for secured port connections. If not specified, a port opened on the Load Balancer will be
TCP/HTTP. If specified, a port opened on the Load Balancer will be TLS/HTTPS.
|
TgHealthPort
|
Integer
|
This port is used by the Target group for health probes. Health probes arriving at this port on the threat defense
virtual will be routed to the AWS Metadata server and should not be used for traffic. It should be a valid TCP port.
If you want your application itself to reply to health probes, then accordingly NAT rules can be changed for the threat defense
virtual. In such a case, if the application does not respond, the threat defense
virtual will be marked as unhealthy and deleted due to the Unhealthy instance threshold alarm.
Example: 8080
|
AssignPublicIP
|
Boolean
|
If selected as "true" then a public IP will be assigned. In case of a BYOL-type threat defense
virtual, this is required to connect to https://tools.cisco.com.
Example: TRUE
|
InstanceType
|
String
|
The Amazon Machine Image (AMI) supports different instance types, which determine the size of the instance and the required
amount of memory.
Only AMI instance types that support the threat defense
virtual should be used.
Example: c4.2xlarge
|
LicenseType
|
String
|
The threat defense
virtual license type, either BYOL or PAYG. Make sure the related AMI ID is of the same licensing type.
Example: BYOL
|
AmiId
|
String
|
The threat defense
virtual AMI ID (a valid Cisco threat defense
virtual AMI ID).
Type: AWS::EC2::Image::Id
Please choose the correct AMI ID as per the region and desired version of the image. The Auto Scale feature supports version 6.4+, BYOL/PAYG images. In either case you should have accepted a License in the AWS
marketplace.
In the case of BYOL, please update 'licenseCaps' key in Configuration JSON with features such as 'BASE', 'MALWARE', 'THREAT',
'URLFilter' etc.
|
NoOfAZs
|
Integer
|
The number of availability zones that the threat defense
virtual should span across, between 1 and 3. In the case of an ALB deployment, the minimum value is 2, as required by AWS.
Example: 2
|
ListOfAzs
|
Comma separated string
|
A comma-separated list of zones in order.
Note
|
The order in which these are listed matters. Subnet lists should be given in the same order.
|
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
Example: us-east-1a, us-east-1b, us-east-1c
|
MgmtInterfaceSG
|
String
|
The Security Group for the threat
defense virtual Management interface.
Type: List<AWS::EC2::SecurityGroup::Id>
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
|
InsideInterfaceSG
|
String
|
The Security Group for the threat
defense virtual inside interface.
Type: AWS::EC2::SecurityGroup::Id
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
|
OutsideInterfaceSG
|
String
|
The Security Group for the threat
defense virtual outside interface.
Type: AWS::EC2::SecurityGroup::Id
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
Example: sg-0c190a824b22d52bb
|
MgmtSubnetId
|
Comma separated list
|
A comma-separated list of management subnet-ids. The list should be in the same order as the corresponding availability zones.
Type: List<AWS::EC2::SecurityGroup::Id>
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
|
InsideSubnetId
|
Comma separated list
|
A comma-separated list of inside/Gig0/0 subnet-ids. The list should be in the same order as the corresponding availability
zones.
Type: List<AWS::EC2::SecurityGroup::Id>
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
|
OutsideSubnetId
|
Comma separated list
|
A comma-separated list of outside/Gig0/1 subnet-ids. The list should be in the same order as the corresponding availability
zones.
Type: List<AWS::EC2::SecurityGroup::Id>
If the "infrastructure.yaml" file is used to deploy the infrastructure, the output section of the stack will have this value. Please use that value.
|
KmsArn
|
String
|
The ARN of an existing KMS (AWS KMS key to encrypt at rest). If specified, the management center and threat
defense virtual passwords should be encrypted. The password encryption should be done using only the specified ARN.
Generating Encrypted Password Example: " aws kms encrypt --key-id <KMS ARN> --plaintext <password> ". Please used such generated
passwords as shown.
Example: arn:aws:kms:us-east-1:[AWS Account]:key/7d586a25-5875-43b1-bb68-a452e2f6468e
|
ngfwPassword
|
String
|
All the threat
defense virtual instances come up with a default password, which is entered in the Userdata field of the Launch Template (Autoscale Group).
This input will change the password to new provided password once the threat
defense virtual is accessible.
Please use a plain text password if KMS ARN is not used. If KMS ARN is used, then an encrypted password should be used.
Example: Cisco123789! or AQIAgcQFAGtz/hvaxMtJvY/x/rfHnI3lPpSXU
|
fmcServer
|
Numeric string
|
The IP address of managing the management center, which is reachable to both Lambda functions and the threat
defense virtual management interface.
Example: 10.10.17.21
|
fmcOperationsUsername
|
String
|
The Network-Admin or higher privileged user created in managing the management center. See the information about creating users and roles in the Cisco Secure Firewall Management
Center Device Configuration Guide.
Example: apiuser-1
|
fmcOperationsPassword
|
String
|
Please use a plain text password if KMS ARN is not mentioned. If mentioned, then an encrypted password should be used.
Example: Cisco123@ or AQICAHgcQAtz/hvaxMtJvY/x/rnKI3clFPpSXUHQRnCAajB
|
fmcDeviceGrpName
|
String
|
The management center device group name.
Example: AWS-Cisco-NGFW-VMs-1
|
fmcPerformanceLicenseTier
|
String
|
The performance tier license used while registering the threat
defense virtual device on the management
center virtual.
Allowed values: FTDv/FTDv20/FTDv30/FTDv50/FTDv100
Note
|
FTDv5 and FTDv10 performance tier licenses are not supported with AWS Gateway Load Balancer.
|
|
fmcPublishMetrics
|
Boolean
|
If set to "TRUE", then a Lambda function will be created which runs once in every 2 minutes to fetch the memory consumption
of registered threat
defense virtual sensors in the provided device group.
Allowed values: TRUE, FALSE
Example: TRUE
|
fmcMetricsUsername
|
String
|
The unique management center user name for metric publication to AWS CloudWatch. See the information about creating users and roles in the Cisco Secure Firewall Management
Center Device Configuration Guide.
If the "fmcPublishMetrics' is set to "FALSE" then there is no need to provide this input.
Example: publisher-1
|
fmcMetricsPassword
|
String
|
The management center password for metric publication to AWS CloudWatch. Please use a plain text password if KMS ARN is not mentioned. If mentioned,
then an encrypted password should be used.
If the "fmcPublishMetrics' is set to "FALSE" then there is no need to provide this input.
Example: Cisco123789!
|
CpuThresholds
|
Comma separated integers
|
The lower CPU threshold and the upper CPU threshold. The minimum value is 0 and maximum value is 99.
Defaults: 10, 70
Please note that the lower threshold should be less than the upper threshold.
Example: 30,70
|
MemoryThresholds
|
Comma separated integers
|
The lower MEM threshold and the upper MEM threshold. The minimum value is 0 and maximum value is 99.
Defaults: 40, 70
Please note that the lower threshold should be less than the upper threshold. If the "fmcPublishMetrics" parameter is "FALSE"
then this has no effect.
Example: 40,50
|
Instance Metadata Service Version
|
Boolean
|
The Instance Metadata Data Service (IMDS) version you want enable for Threat Defense Virtual instances:
-
V1 and V2 (token optional) : Enables either IMDSv1, IMDSv2, or a combination of both IMDSv1 and IMDSv2 API calls.
-
V2 only (token required) : Enables only the IMDSv2 mode.
Note
|
Threat Defense Virtual Version 7.6 and later support only IMDSv2.
If you are enabling IMDSv2 service for versions earlier than 7.6, you must select combination of both IMDSv1 and IMDSv2 V1 and V2 (token optional) parameters.
|
Note
|
If you are using a custom template (that is not provided by Cisco) note that you must include the HttpEndpoint: enabled and HttpTokens: required properties under MetadataOptions in your template to enable the IMDSv2 Required mode.
|
|