Deploy a Threat Defense Device on Google Cloud Platform

Before you begin

When you perform this procedure, Security Cloud Control creates the threat defense virtual as part of the onboarding wizard. You cannot use this procedure with physical threat defense device or a device that is already onboarded to Security Cloud Control.

The following prerequisites must be met prior to onboarding a threat defense that is currently associated with a Google Cloud Platform (GCP) environment:

  • You must have cloud-delivered Firewall Management Center enabled for your tenant.

  • You must have a GCP account and already have a project created. See GCP documentation for more information.

  • Management interfaces (2) — One used to connect the threat defense virtual to the management center, second used for diagnostics; cannot be used for through traffic.

    Traffic interfaces (2) — Used to connect the threat defense virtual to inside hosts and to the public network. See Create VPC Networks for GCP for more information.

  • You must enable all of the following permissions in the GCP environment in order to successully communicate with and onboard to Security Cloud Control:

    deploymentmanager.deployments.create
    deploymentmanager.deployments.get
    compute.networks.list

Procedure


Step 1

Log in to Security Cloud Control.

Step 2

In the navigation pane, click Security Devices and click the blue plus button (+) to add a new device.

Step 3

Select the FTD tile.

Step 4

Under Management Mode, select FTD.

Step 5

Select Use GCP VPC as the onboarding method.

Step 6

IF you have not authenticated your GCP environment with Security Cloud Control before this point, copy the bash command that Security Cloud Control generates and run it on your bash environment or on the Google Cloud Shell to authenticate your GCP account and allow communication between the applications. IF you have already authenticated your GCP account prior, ignore the account integration steps and click Next.

Step 7

Use the drop-down menu to select the GCP project you want to associate with the device you are going to onboard. If there are no projects immeidately available, click + Link New Project. If you click + Link New Project, follow these steps:

  1. Enter the GCP project ID when prompted. Locate this value in the GCP UI. To locate the project ID, see GCP documentation.

  2. Upload Credentials File. Click Browse and navigate to where the the .JSON file generated from the script in Step 1 of the onboarding wizard is locally stored. Select it and click Save.

Step 8

Click Next.

Step 9

Use the drop-down menus to select the following paramters and click Next:

  • Inside VPC

  • Inside Sub Network

  • Outside VPC

  • Outside Sub Network

  • Management VPC

  • Management Sub Network

  • Diagnostic Network

  • Diagnostic Sub Network

Step 10

Enter a name for the threat defense device in the Device Name field and click Next.

Step 11

In the Policy Assignment step, use the drop-down menu to select an access control policy to deploy once the device is onboarded. If you have no policies configured in the cloud-delivered Firewall Management Center associated with your Security Cloud Control tenant, select the Default Access Control Policy.

Step 12

Select the Subscription Licenses you want applied to the device. You must have at least the URL license selected for virtual threat defense devices.

Step 13

Click Complete Onboarding.


What to do next

Navigate to the Security Devices page to view the progress of the device registration there. Once the device is synchronized, we strongly recommend cross-launching to cloud-delivered Firewall Management Center and customize your access control policy and device status.