Avatar

As organizations expand, the need for a streamlined, scalable, and secure method of provisioning and onboarding new devices becomes increasingly important. Cisco Firewall Management Center (FMC) is at the forefront of this challenge, offering innovative solutions to simplify and accelerate the deployment process. We are excited to introduce Zero-Touch Provisioning capabilities with the help of Templates, designed to revolutionize branch device provisioning, onboarding, and deployment in bulk.

The Challenge of Branch Device Provisioning

Traditionally, provisioning network devices at branch locations has been a time-consuming and resource-intensive process. IT teams often face several challenges in this regard. Each device requires manual configuration, which is prone to human error and inconsistencies, making the process less reliable. Setting up devices one by one can significantly delay the deployment process, especially when dealing with multiple branches, leading to inefficiencies and extended timelines. Pre-provisioning configurations is not possible as of today. Managing hardware models, configuring interfaces and implementing dynamic routing changes across multiple devices can be challenging.

As the number of branch locations grows, the complexity and effort required to manage device provisioning increase exponentially, posing significant scalability issues. Also, ensuring each device is configured securely and consistently is critical to maintaining the organization’s overall security posture. These security concerns are paramount, as any lapse in configuration can expose the network to vulnerabilities and potential breaches.

Introducing Templates from Cisco FMC for Zero-Touch Provisioning

This feature is designed to address several use cases with a simple user interface. For instance, it simplifies by allowing administrators to pre-provision firewalls with all required pre-configured policies and configurations. It also scales Firepower threat defense (FTD) branch deployments, enabling the onboarding of multiple firewalls simultaneously, which is particularly useful for large remote branch deployments where hundreds or even thousands of branches need to be rolled out in a short period.

In the context of SD-WAN branches, administrators can define multiple virtual logical overlay topologies on top of a multi-link physical topology, allowing for end-to-end traffic segmentation to meet business requirements. For already onboarded devices, templates allow administrators to review if the device is out of sync due to changes either in template or device and reconcile these configurations. This ensures that any changes made to devices or templates can be tracked and managed effectively.

How It Works

Templates are designed to streamline and automate the configuration and deployment of branch devices. These templates allow IT teams to create complex policy bundles, such as Direct Internet Access (DIA) policies, VPN access to headquarters, security policies, and ISP redundancy, and apply them to devices whenever needed. The user experience for configuration is like that of individual devices, making it intuitive and straightforward. Templates can be applied to Firepower Threat Defense (FTD) devices during registration, enabling consistent and efficient configuration across multiple devices simultaneously.

Device Template Management is centralized, with all created templates listed on the Device Template Management page. This provides a concise set of information of all templates, associated access control policy, number of parameters and for which models the template is designed or suitable for. Administrators can generate new templates from existing devices registered in FMC, including models from the 1000, 2100, and 3100 series running Cisco Secure Firewall version 7.4.1 or later. The ‘Generate Template’ option from the Device menu creates a new template using the configurations from the chosen device, whether standalone or in a high-availability (HA) setup.

Templates can also be cloned using the export and import options, allowing for easy replication and modification across different Firewall Management Center (FMC) instances or domains. Once a template is created, it can be configured to include physical and logical interfaces, routing, DHCP, inline-sets, shared policy assignments, licenses, and other advanced settings. Use variables and your existing network objects to parameterize template for device specific configurations, and model mapping ensures that interface configurations are correctly applied to different device models.

For SD-WAN branches and Site-to-Site (S2S) VPN spokes, the templates support various VPN topologies, including SD-WAN, route-based hub and spoke, and policy-based hub and spoke. This enables the rollout of branch devices with pre-provisioned Day-0 configurations, including VPN settings.

The primary use case for device templates in version 7.6.0 is to simplify and scale the provisioning of SD-WAN branches and spokes. Device templates support the configuration of a device as a spoke in multiple hub and spoke topologies, with variables or object overrides for device-specific settings such as protected networks, VPN interface IP addresses, and local IKE tunnel identity.

Device templates can be applied during device registration, re-applied to revert changes, or applied to existing devices to configure them in bulk. In the case of registration or onboarding, applying a device template is followed by triggering the deployment to the device with the applied configuration, ensuring a seamless and efficient provisioning process

Conclusion

We are excited to announce that Template capabilities will be introduced in Cisco Firewall Management Center (FMC) version 7.6, scheduled for release September 2024. This latest update will make provisioning simple, enabling you to enhance your branch deployments and leverage advanced SD-WAN features in Cisco Firewall Threat Defense.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Gayathri Nagarajan

Engineering Product Manager

Security Business Group