Deploy on KVM

Deploy on KVM

Action

More Information

Step 1

Ensure that your equipment and software meet all system requirements.

See System Requirements and the documentation for the products and tools that you will use.

Step 2

Review the Release Notes for your AsyncOS release.

Release Notes are available from the locations in Additional Information.

Step 3

Set up the UCS server, host OS, and KVM.

See the documentation for the products and tools you will use.

Step 4

Download the virtual content security appliance image.

See Download the Cisco Content Security Virtual Appliance Image.

Step 5

Ensure that the Cisco image is compatible with your deployment.

See Ensure Virtual Appliance Image Compatibility With Your KVM Deployment.

Step 6

(Optional) Prepare an ISO file that includes the license and configuration files to automatically load at startup.

See Prepare the License and Configuration Files to Load at Startup (KVM Deployments).

Step 7

Determine the amount of RAM and the number of CPU cores to allocate to your virtual appliance model.

See Supported Virtual Appliance Models and AsyncOS Releases for KVM Deployments.

Step 8

Deploy the virtual content security appliance image.

Use one of the following methods:

Step 9

If you will deploy the High Availability feature introduced in AsyncOS 8.5 for Cisco Web Security Appliances, configure the host to support this feature.

See (Optional) Configure the Virtual Interface to Support High Availability.

Step 10

If you did not configure the system to load license and configuration files at first startup:

  • Install the virtual appliance license file

  • Install feature licenses

  • Configure your Cisco content security virtual appliance.

  • To install the virtual appliance license file, see Amazon Web Services (AWS) EC2 Deployments.

  • To install feature licenses and configure the appliance, see the User Guide or online help for your AsyncOS release.

Step 11

Configure the appliance to send alerts when license expiration nears.

See the online help or user guide for your AsyncOS release.

Ensure Virtual Appliance Image Compatibility With Your KVM Deployment

The qcow version of our image is not compatible with QEMU versions lower than 1.1. If your QEMU version is lower than 1.1, you must convert the image to make it compatible with your deployment.

Deploy the Virtual Appliance Using Virtual Machine Manager

Procedure

Step 1

Launch the virt-manager application.

Step 2

Select New.

Step 3

Enter a unique name for your virtual appliance.

Step 4

Select Import existing image.

Step 5

Select Forward.

Step 6

Enter options:

  • OS Type: UNIX.

  • Version: FreeBSD 10

Step 7

Browse to and select the virtual appliance image that you downloaded.

Step 8

Select Forward.

Step 9

Enter RAM and CPU values for the virtual appliance model you are deploying.

See Supported Virtual Appliance Models and AsyncOS Releases for KVM Deployments.

Step 10

Select Forward.

Step 11

Select the Customize check box.

Step 12

Select Finish.

Step 13

Configure the disk drive:

  1. In the left pane, select the drive.

  2. Under Advanced options, select options:

    • Disk bus:Virtio.

    • Storage format: qcow2

  3. Select Apply.

Step 14

Configure the network device for the management interface:

  1. In the left pane, select a NIC.

  2. Select options:

    • Source Device: Your management vlan

    • Device model: virtIO

    • Source mode: VEPA.

  3. Select Apply.

Step 15

Configure network devices for four additional interfaces (WSA only):

Repeat the previous set of substeps for each interface you will use.

Step 16

If you prepared an ISO image with the license and configuration files to be loaded at startup:

Attach the ISO as a virtual CD-ROM drive to the Virtual Machine instance.

Step 17

Select Begin Installation.

Deploy the Virtual Appliance Using virt-install: Example

Before you begin

Determine the amount of RAM and number of CPU cores needed for your appliance. See Supported Virtual Appliance Models and AsyncOS Releases for KVM Deployments.

Procedure

Step 1

Create the storage pool where your virtual appliance will reside:

virsh pool-define-as --name vm-pool --type dir --target /home/username/vm-pool

virsh pool-start vm-pool

Step 2

Copy the virtual appliance image to your storage pool:

cd /home/yusername/vm-pool

tar xvf ~/asyncos-8-6-0-007-S100V.qcow2.tar.gz

Step 3

Install the virtual appliance:

virt-install \

--virt-type kvm \

--os-type=unix \

--os-variant=freebsd10 \

--name wsa-example \ (This name should be unique)

--ram 6144 \ (Use the value appropriate to your virtual appliance model)

--vcpus 2 \ (Use the value appropriate to your virtual appliance model)

--noreboot \

--import \

--disk

path=/home/username/vm-pool/asyncos-8-6-0-007-S100V.qcow2,format=qcow2,bus=virtio \

--disk path=/home/username/vm-pool/wsa.iso,bus=ide,device=cdrom \ (If you created an ISO with the license and configuration file to load at startup)

--network type=direct,source=enp6s0.483,source_mode=vepa,model=virtio \

--network type=direct,source=enp6s0.484,source_mode=vepa,model=virtio \

--network type=direct,source=enp6s0.485,source_mode=vepa,model=virtio \

--network type=direct,source=enp6s0.486,source_mode=vepa,model=virtio \

--network type=direct,source=enp6s0.487,source_mode=vepa,model=virtio \

Step 4

Restart the virtual appliance:

virsh start wsa-example

virsh --connect qemu:///system start wsa-example

Step 5

To Start/Stop the virtual appliance:

--virsh shutdown wsa-example

--virsh start wsa-example

(Optional) Configure the Virtual Interface to Support High Availability

The high availability feature was introduced in AsyncOS 8.5 for Cisco Web Security Appliances and is described in detail in the user guide and online help.

If your Cisco Secure Web Appliance will be added to a failover group for high availability, configure the virtual interface to use promiscuous mode, in order to enable the appliances in the failover group to communicate with each other using multicasting.

You can make this change at any time.

Procedure

Step 1

On the host OS, find the macvtap interface associated with the interface with which the multicast traffic will be associated.

Step 2

Set the macvtap interface to use promiscuous mode:

Enter on the host: ifconfig macvtapX promisc