Deploy the Management Center Virtual Using KVM

You can deploy the management center virtual on KVM.

Overview

KVM is a full virtualization solution for Linux on x86 hardware containing virtualization extensions (such as Intel VT). It consists of a loadable kernel module, kvm.ko, that provides the core virtualization infrastructure and a processor specific module, such as kvm-intel.ko.

Management Center Virtual Requires 28 GB RAM for Upgrade (6.6.0+)

The management center virtual platform has introduced a new memory check during upgrade. The management center virtual upgrades to Version 6.6.0+ will fail if you allocate less than 28 GB RAM to the virtual appliance.


Important

We recommend you do not decrease the default settings: 32 GB RAM for most management center virtual instances, 64 GB RAM for the management center virtual 300 (FMCv300). To improve performance, you can always increase a virtual appliance’s memory and number of CPUs, depending on your available resources.

As a result of this memory check, we will not be able to support lower memory instances on supported platforms.

Memory and Resource Requirements

You can run multiple virtual machines running unmodified OS images using KVM. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, and so forth. See the Cisco Secure Firewall Threat Defense Compatibility Guide for hypervisor compatibility.


Important

When upgrading the management center virtual, check the latest Release Notes for details on whether a new release affects your environment. You may be required to increase resources to deploy the latest version.

When you upgrade, you add the latest features and fixes that help improve the security capabilities and performance of your deployment.

The specific hardware used for the management center virtual deployments can vary, depending on the number of instances deployed and usage requirements. Each virtual appliance you create requires a minimum resource allocation—memory, number of CPUs, and disk space—on the host machine.

The following lists the recommended and default settings for the management center virtual appliance on KVM:

  • Processors

    • Requires 4 vCPUs

  • Memory

    • Minimum required 28 / Recommended (default) 32 GB RAM


      Important

      The management center virtual platform has introduced a new memory check during upgrade. The management center virtual upgrades to Version 6.6.0+ will fail if you allocate less than 28 GB RAM to the virtual appliance.

  • Networking

    • Supports virtio drivers

    • Supports one management interface

    • IPv6

  • Host storage per Virtual Machine

    • The management center virtual requires 250 GB

    • Supports virtio and scsi block devices

  • Console

    • Supports terminal server via telnet

Starting from version 7.3, Management Center Virtual 300 (FMCv300) is supported on KVM. The following lists the recommended and default settings for the FMCv300 appliance on KVM:

  • Processors

    • Requires 32 vCPUs

  • Memory

    • Recommended (default) 64 GB RAM

  • Networking

    • Supports virtio drivers

    • Supports one management interface

  • Host storage per Virtual Machine

    • The FMCv300 requires 2 TB

    • Supports virtio and scsi block devices

  • Console

    • Supports terminal server via telnet

Prerequisites

  • Download the management center virtual qcow2 file from Cisco.com and put it on your Linux host:

    https://software.cisco.com/download/navigator.html

  • A Cisco.com login and Cisco service contract are required.

  • For the purpose of the sample deployment in this document, we assume you are using Ubuntu 18.04 LTS. Install the following packages on top of the Ubuntu 18.04 LTS host:

    • qemu-kvm

    • libvirt-bin

    • bridge-utils

    • virt-manager

    • virtinst

    • virsh tools

    • genisoimage

  • Performance is affected by the host and its configuration. You can maximize the throughput on KVM by tuning your host. For generic host-tuning concepts, see Network Function Virtualization: Quality of Service in Broadband Remote Access Servers with Linux and Intel Architecture.

  • Useful optimizations for Ubuntu 18.04 LTS include the following:

    • macvtap—High performance Linux bridge; you can use macvtap instead of a Linux bridge. Note that you must configure specific settings to use macvtap instead of the Linux bridge.

    • Transparent Huge Pages—Increases memory page size and is on by default in Ubuntu 18.04.

    • Hyperthread disabled—Reduces two vCPUs to one single core.

    • txqueuelength—Increases the default txqueuelength to 4000 packets and reduces drop rate.

    • pinning—Pins qemu and vhost processes to specific CPU cores; under certain conditions, pinning is a significant boost to performance.

  • For information on optimizing a RHEL-based distribution, see Red Hat Enterprise Linux6 Virtualization Tuning and Optimization Guide.

Guidelines and Limitations

  • The management center virtual appliances do not have serial numbers. The System > Configuration page will show either None or Not Specified depending on the virtual platform.

  • Nested hypervisors (KVM running on top of VMware/ESXi) are not supported. Only bare-metal KVM deployments are supported.

  • Cloning a virtual machine is not supported.

High Availability support

  • Management Center Virtual 300 (FMCv300) for KVM—A new scaled management center virtual image is available for KVM that supports managing up to 300 devices and has higher disk capacity.

  • Management Center Virtual High Availability (HA) is supported.

  • The two management center virtual appliances in a high availability configuration must be the same model.

  • To establish the management center virtual HA, management center virtual requires an extra management center virtual license entitlement for each Secure Firewall Threat Defense (formerly Firepower Threat Defense) device that it manages in the HA configuration. However, the required threat defense feature license entitlement for each threat defense device has no change regardless of the management center virtual HA configuration. See License Requirements for threat defense devices in a High Availability Pair in the Secure Firewall Management Center Device Configuration Guide for guidelines about licensing.

  • If you break the management center virtual HA pair, the extra management center virtual license entitlement is released, and you need only one entitlement for each threat defense device. See High Availability in the Secure Firewall Management Center Device Configuration Guide for more information and guidelines about high availability.

Prepare the Day 0 Configuration File

You can prepare a Day 0 configuration file before you launch the management center virtual. The Day 0 configuration is a text file that contains the initial configuration data that gets applied at the time a virtual machine is deployed. This initial configuration is placed into a text file named “day0-config” in a working directory you chose, and is manipulated into a day0.iso file that is mounted and read on first boot.


Note

The day0.iso file must be available during first boot.

If you deploy with a Day 0 configuration file, the process allows you to perform the entire initial setup for the management center virtual appliance. You can specify:

  • EULA acceptance

  • A host name for the system

  • A new administrator password for the admin account

  • Network settings that allow the appliance to communicate on your management network If you deploy without a Day 0 configuration file, you must configure System-required settings after launch; see Deploy Without Using the Day 0 Configuration File for more information.


    Note

    We use Linux in this example, but there are similar utilities for Windows.

  • Leave both DNS entries empty to use the default Cisco Umbrella DNS servers. To operate in a non-DNS environment, set both entries to “None” (not case sensitive).

Procedure

Step 1

Enter the CLI configuration for the management center virtual network settings in a text file called “day0-config”.

Example:


#FMC
{
    "EULA": "accept",
    "Hostname": "FMC-Production",
    "AdminPassword": "r2M$9^Uk69##",
    "DNS1": "10.1.1.5",
    "DNS2": "192.168.1.67",
    
    "IPv4Mode": "manual",
    "IPv4Addr": "10.12.129.45",
    "IPv4Mask": "255.255.0.0",
    "IPv4Gw": "10.12.0.1",
    "IPv6Mode": "enabled",
    "IPv6Addr": "2001:db8::a111:b221:1:abca/96",
    "IPv6Mask": "",
    "IPv6Gw": "",
}

Step 2

Generate the virtual CD-ROM by converting the text file to an ISO file:

Example:


/usr/bin/genisoimage -r -o day0.iso day0-config

or

Example:


/usr/bin/mkisofs -r -o day0.iso day0-config

Step 3

Repeat to create unique default configuration files for each management center virtual you want to deploy.

What to do next

  • If using virt-install, add the following line to the virt-install command:

    --disk path=/home/user/day0.iso,format=iso,device=cdrom \

  • If using virt-manager, you can create a virtual CD-ROM using the virt-manager GUI; see Deploy the Management Center Virtual.

Deploy the Management Center Virtual

You can launch the management center virtual on KVM using the following methods:

  • Using a Deployment Script—Use a virt-install based deployment script to launch the management center virtual; see Launch Using a Deployment Script.

  • Using Virtual Machine Manager—Use virt-manager, a graphical tool for creating and managing KVM guest virtual machines, to launch the management center virtual; see Deploy the Management Center Virtual.

  • Using OpenStack—Use an OpenStack environment to launch the management center virtual; see Launch Using OpenStack.

You can also choose to deploy the management center virtual without the Day 0 configuration file. This requires you to complete the initial setup using the appliance’s CLI or the web interface.

Launch Using a Deployment Script

You can use a virt-install based deployment script to launch the management center virtual.

Before you begin

Be aware that you can optimize performance by selecting the best guest caching mode for your environment. The cache mode in use will affect whether data loss occurs, and the cache mode can also affect disk performance.

Each KVM guest disk interface can have one of the following cache modes specified: writethrough, writeback, none, directsync, or unsafe. The writethrough mode provides read caching; writeback provides read and write caching; directsync bypasses the host page cache; unsafe may cache all content and ignore flush requests from the guest.

  • A cache=writethrough will help reduce file corruption on KVM guest machines when the host experiences abrupt losses of power. We recommend that you use writethrough mode.

  • However, cache=writethrough can also affect disk performance due to more disk I/O writes than cache=none.

  • If you remove the cache parameter on the --disk option, the default is writethrough.

  • Not specifying a cache option may also significantly reduce the time required for the VM creation. This is due to the fact that some older RAID controllers have poor disk caching capability. Hence, disabling disk caching (cache=none) and thus defaulting to writethrough, helps ensure data integrity.

Procedure

Step 1

Create a virt-install script called “virt_install_fmc.sh”.

The name of the management center virtual instance must be unique across all other virtual machines (VMs) on this KVM host. The management center virtual can support one network interface. The virtual NIC must be Virtio.

Example:


virt-install \
    --connect=qemu:///system \
    --network network=default,model=virtio \
    --name=fmcv \
    --arch=x86_64 \
    --cpu host \
    --vcpus=4 \
    --ram=28672 \
    --os-type=generic \
    --virt-type=kvm \
    --import \
    --watchdog i6300esb,action=reset \
    --disk path=<fmc_filename>.qcow2,format=qcow2,device=disk,bus=virtio,cache=writethrough \
    --disk path=<day0_filename>.iso,format=iso,device=cdrom \
    --console pty,target_type=serial \
    --serial tcp,host=127.0.0.1:<port>,mode=bind,protocol=telnet \
    --force

Note

 

In the deployment script, ensure to set the value of the --os-type parameter to generic for the deployment process to correctly identify the platform on which the virtual instance is deployed.

Step 2

Run the virt_install script:

Example:


/usr/bin/virt_install_fmc.sh
Starting install...
Creating domain...

A window appears displaying the console of the VM. You can see that the VM is booting. It takes a few minutes for the VM to boot. Once the VM stops booting you can issue CLI commands from the console screen.

Deploy the Management Center Virtual

Use virt-manager, also known as Virtual Machine Manager, to launch the management center virtual. virt-manager is a graphical tool for creating and managing guest virtual machines.

Procedure

Step 1

Start virt-manager (Applications > System Tools > Virtual Machine Manager).

You may be asked to select the hypervisor and/or enter your root password.

Step 2

Click the button in the top left corner to open the New VM wizard.

Step 3

Enter the virtual machine details:

  1. For the operating system, select Import existing disk image.

    This method allows you to import a disk image (containing a pre-installed, bootable operating system) to it.

  2. Click Forward to continue.

Step 4

Load the disk image:

  1. Click Browse... to select the image file.

  2. Choose Use Generic for the OS type.

  3. Click Forward to continue.

Step 5

Configure the memory and CPU options:

  1. Set Memory (RAM) to 28672.

  2. Set CPUs to 4.

  3. Click Forward to continue.

Step 6

Check the Customize configuration before install box, specify a Name, then click Finish.

Doing so opens another wizard that allows you to add, remove, and configure the virtual machine's hardware settings.

Step 7

Modify the CPU configuration.

From the left panel, select Processor, then select Configuration > Copy host CPU configuration.

This applies the physical host's CPU model and configuration to your virtual machine.

Step 8

8. Configure the Virtual Disk:

  1. From the left panel, select Disk 1.

  2. Select Advanced options.

  3. Set the Disk bus to Virtio.

  4. Set the Storage format to qcow2.

Step 9

Configure a serial console:

  1. From the left panel, select Console.

  2. Select Remove to remove the default console.

  3. Click Add Hardware to add a serial device.

  4. For Device Type, select TCP net console (tcp).

  5. For Mode, select Server mode (bind).

  6. For Host, enter 0.0.0.0 for the IP address and enter a unique Port number.

  7. Check the Use Telnet box.

  8. Configure device parameters.

Step 10

Configure a watchdog device to automatically trigger some action when the KVM guest hangs or crashes:

  1. Click Add Hardware to add a watchdog device.

  2. For Model, select default.

  3. For Action, select Forcefully reset the guest.

Step 11

Configure the virtual network interface.

Choose macvtap or specify a shared device name (use a bridge name).

Note

 

By default, the management center virtual instance launches with one interface, which you can then configure.

Step 12

If deploying using a Day 0 configuration file, create a virtual CD-ROM for the ISO:

  1. Click Add Hardware.

  2. Select Storage.

  3. Click Select managed or other existing storage and browse to the location of the ISO file.

  4. For Device type, select IDE CDROM.

Step 13

After configuring the virtual machine's hardware, click Apply.

Step 14

Click Begin installation for virt-manager to create the virtual machine with your specified hardware settings.

Launch Using OpenStack

You can deploy the Management Center Virtual in an OpenStack environment. OpenStack is a set of software tools for building and managing cloud computing platforms for public and private clouds, and is tightly integrated with the KVM hypervisor.

About the Day 0 Configuration File on OpenStack

OpenStack supports providing configuration data via a special configuration drive (config-drive) that is attached to the instance when it boots. To deploy the Management Center Virtual instance with Day 0 configuration using the nova boot command, include the following line: 

    --config-drive true --file day0-config=/home/user/day0-config \

When the --config-drive command is enabled, the file =/home/user/day0-config, as found on the Linux filesystem where the nova client is invoked, is passed to the virtual machine on a virtual CDROM.


Note

While the VM may see this file with the name day0-config, OpenStack typically stores the file contents as /openstack/content/xxxx where xxxx is an assigned four-digit number (e.g. /openstack/content/0000). This may vary by OpenStack distribution.

Launch on OpenStack Using the Command Line

Use the nova boot command to create and boot the management center virtual instance.

Procedure
Command or Action Purpose

Boot the management center virtual instance using image, flavor, interface and Day 0 configuration information.

Example:

local@maas:~$ nova boot \
    --image=6883ee2e-62b1-4ad7-b4c6-cd62ee73d1aa \
    --flavor=a6541d78-0bb3-4dc3-97c2-7b87f886b1ba \
    --nic net-id=5bf6b1a9-c871-41d3-82a3-2ecee26840b1 \
    --config-drive true --file day0-config=/home/local/day0-config \

The management center virtual requires one management interface.

Launch on OpenStack Using the Dashboard

Horizon is an OpenStack Dashboard, which provides a web based user interface to OpenStack services including Nova, Swift, Keystone, and so forth.

Before you begin
Procedure

Step 1

On the Log In page, enter your user name and password, and click Sign In.

The visible tabs and functions in the dashboard depend on the access permissions, or roles, of the user you are logged in as.

Step 2

Choose Admin > System Panel > Flavor from the menu.

Virtual hardware templates are called flavors in OpenStack, and define sizes for RAM, disk, number of cores, and so on.

Step 3

Enter the required information in the Flavor Info window:

  1. Name—Enter a descriptive name that easily identifies the instance. For example, FMC-4vCPU-8GB.

  2. VCPUs—Select 4.

  3. RAM MB—Select 28672.

Step 4

Choose Create Flavor.

Step 5

Choose Admin > System Panel > Images from the menu.

Step 6

Enter the required information in the Create An Image window:

  1. Name—Enter a name that easily identifies the image. For example, FMC-Version-Build.

  2. Description—(Optional) Enter a description for this image file.

  3. Browse—Select the management center virtual qcow2 file previously downloaded from Cisco.com.

  4. Format—Select QCOW2-QEMU Emulator as the format type.

  5. Check the Public box.

Step 7

Choose Create Image.

View the newly created Image.

Step 8

Choose Project > Compute > Instances from the menu.

Step 9

Click Launch Instance.

Step 10

Enter the required information in the Launch Instance > Details tab:

  1. Instance Name—Enter a name that easily identifies the instance. For example, FMC-Version-Build.

  2. Flavor—Select the flavor created earlier in Step 3. Enter a description for this image file.

  3. Instance Boot Source—Select Boot from image.

  4. Image Name—Select the image created earlier in Step 6.

Step 11

From the Launch Instance > Networking tab, select a management network for themanagement center virtual instance.

Step 12

Click Launch.

The instance starts on a compute node in the cloud. View the newly created instance from the Instances window.

Step 13

Select the management center virtual instance.

Step 14

Select the Console tab.

Step 15

Log into the virtual appliance at the console.

Deploy Without Using the Day 0 Configuration File

For all management centers, you must complete a setup process that allows the appliance to communicate on your management network. If you deploy without a Day 0 configuration file, setting up the management center virtual is a two-step process:

  • After you initialize the management center virtual, run a script at the appliance console that helps you configure the appliance to communicate on your management network.

  • Then, complete the setup process using a computer on your management network to browse to the web interface of the management center virtual.

Configure Network Settings Using a Script

The following procedure describes how you complete the initial setup on the management center virtual using the CLI.

Procedure

Step 1

At the console, log into the management center virtual appliance. Use admin as the username and Admin123 as the password.

Step 2

At the admin prompt, run the following script:

Example:

sudo /usr/local/sf/bin/configure-network

On first connection to the management center virtual you are prompted for post-boot configuration.

Step 3

Follow the script’s prompts.

Configure (or disable) IPv4 management settings first, then IPv6. If you manually specify network settings, you must enter IPv4 or IPv6 address.

Step 4

Confirm that your settings are correct.

Step 5

Log out of the appliance.

What to do next

  • Complete the setup process using a computer on your management network to browse to the web interface of the management center virtual.

Perform Initial Setup Using the Web Interface

The following procedure describes how you complete the initial setup on the management center virtual using the web interface.

Procedure

Step 1

Direct your browser to default IP address of the management center virtual’s management interface:

Example:

https://192.168.45.45

Step 2

Log into the management center virtual appliance. Use admin as the username and Admin123 as the password. The setup page appears.

The setup page appears. You must change the administrator password, specify network settings if you haven’t already, and accept the EULA.

Step 3

When you are finished, click Apply. The management center virtual is configured according to your selections. After an intermediate page appears, you are logged into the web interface as the admin user, which has the Administrator role.

The management center virtual is configured according to your selections. After an intermediate page appears, you are logged into the web interface as the admin user, which has the Administrator role.

What to do next