Introduction

Building up SD-WAN features on Cisco Secure Firewall, release 7.6 brings in the Device Templates feature.

This is a policy and configuration bundle that leverages parametrized configuration and enables administrators with:

1. Scalable remote branch rollout
2. Pre-provisioning Day 0 configuration to the branch devices
3. Similar user experience as a standard device on-boarding/registration on Firewall Management Center (FMC).

📘

NOTE

1. This feature is supported with Secure Firewall Management Center running release 7.6, and Secure Firewall Threat Defense devices running 7.4.1 and above.
2. Supported platforms are 1000, 1200 Compact, 2100 (on 7.4.1 only) and 3100 series.
3. No additional licenses are require to create and configure device templates. Target devices where the templates will be applied must have license entitlement for their respective features.

Overview

Using this feature, branch devices can be fully configured during the on-boarding with all the required configuration, allowing seamless and secure connectivity to resources on the internet or behind other SD-WAN enabled hub and branch sites.

Device templates allow pre-provisioning of the following attributes:

1. Interface configuration, including inline sets - for device initialization
2. Access Control Policy - for security policies
3. Static and dynamic routing - for LAN and WAN connectivity
4. Policy Based Routing - for Direct Internet Access (DIA)
5. DHCP Server, Relay and DDNS configuration - for LAN users' connectivity
6. VPN Topology - for VPN access to Hub and other branch sites

This allows unified configuration deployment on multiple devices at same time.

How it works

At a high level, this feature comprises four steps:

1. FMC Administrator collates all the device configuration related to interfaces, inline sets, routing, DHCP, VPN and security policies in a unified schema called device template.
2. Once configured, device template is then stored on the FMC.
3. Management Center creates a copy of the configuration from the device template.
4. Copy of the device template configuration is pushed to branch devices called target devices. This template is version agnostic and any feature not supported on the target device is safely dropped from the configuration and logged in the report.
   
   

🚧

Note

Creating a copy of the template and pushing it to the devices via template ensures that any change in template on the FMC doesn't cause any interruption in the branch device operation.

Device Onboarding Components

Before reviewing the template workflow and configuration, this section covers the components added within template configuration. To assign values to configuration objects in Device Template, there are mainly 2 ways: Variable and Network Object override.

Variable

It is a new object type used as a placeholder for inline values in supported configuration. Admin creates a variable within template creation and variables are replaced with the specific values during the template apply phase.

Fields using the variable have the variable icon and shown with a $ prefix to distinguish from literal values.

Variables support different types of values that are:

1. Password
2. Rourter ID
3. FQDN
4. AS Number
5. IPv4/IPv6 network addreses

Network Object Override

This is an existing feature which is used within device template. Admin declares an existing network object(s) in the template and override for the object is created or updated during the template apply phase.

Following network object types are supported:

1. Network
2. Host
3. Range
4. FQDN

📘

Note

Variables and network object overrides are exclusive in nature. This feature supports variables where network object overrides are not supported.
E.g. variables are used in the interface configuration for IP address assignment whereas network object override is used for defining gateway IP address in the static route configuration.

Template Workflow

Device Template workflow can be logically divided into 3 main steps:

1. Template Creation
   This step allows an administrator to configure a reusable configuration template. There are 3 ways to create a template
   1. Create a new template from scratch
   2. Generate a template from an existing device, and
   3. Export from an existing template
2. Template Configuration
   This step covers the actual device configuration that includes Access Control Policy, defining variables and network object overrides, and defining interface mapping. This includes various shared policies and device specific policies.
3. Template Apply
   FMC creates a copy of the configuration from the device template and pushes it to managed FTD devices. In this step, along with the device specific and shared policies, variables and network object override values are configured which are ultimately pushed to the specific branch devices.

Configuration

In this configuration example, we leverage Device Template to onboard a branch FTD device with Dual WAN connections and being managed via the data interface.

The branch device will be configured to have Ethernet1/1 interface as outside1 interface and Ethernet1/3 as outside2 interface. Ethernet1/2 will be used as inside interface. outside1 interface will be used for management via FMC.

Topology

Create a New Device Template

1. Choose Devices > Template Management

   

2. Click Add Device Template

3. In the Add Device Template window, enter a Name for the template.

4. Choose an Access Control Policy from the drop-down list.

   

5. Click Ok

Configure Device Specific Settings

Configuring Interfaces

1. Once the Device Template is created, click pencil icon on far right of the template to edit the template

2. Review all the configuration options within the Device Template (e.g. Interface, Inline Sets, Routing, DHCP, VPN and Template Settings)

3. Device can be managed either via management or the data interface. As in this example, the device is managed remotely via data interface, click Template Settings and toggle the button for Manage device by Data Interface

   

4. Navigate to Interfaces tab. By default, the template only has 3 interfaces i.e. management, outside and inside. As we plan to use two egress interfaces, click Add Physical Interfaces to add another Ethernet interface

   

5. Within Create Physical Interface, select the corresponding Slot and Port Index you intend to use on your branch device and click Create Interface

   

6. Edit the Ethernet1/1 interface and configure the name as outside1 and assign a security zone outside

   

7. Review the IPv4 configuration and ensure it is set to either Use DHCP or configured with static IP address

   📘

   Note

   In this example, outside1 interface is configured with DHCP IP and option Obtain default route using DHCP is enabled which installs a default route with metric 1 on the branch device.

8. (Optional) In Path Monitoring section, check the box for Enable IP based Path Monitoring

9. In Manager Access section, check the box for Enable Management Access to manage the device via data interface
10. Click Ok

11. Edit the Ethernet1/2 interface and assign the security zone as Inside

12. Under IPv4, Click + under IP address to create a variable named inside_interface_ip and click Save

13. Click Ok
14. Edit the Ethernet1/3 interface

1. Configure the name as outside2
2. Check the box to Enable the interface
3. Assign a security zone outside

15. Under IPv4, Click + under IP address to create a variable named outside2_interface_ip and click save

16. (Optional) In Path Monitoring section, check the box for Enable IP based Path Monitoring

17. Click Save
18. (Optional) Create Inline Sets for the supported branch devices.

Configuring Routing

📘

Note

outside1 interface is configured to receive default route from upstream device so in this step, we will add a route for internet via outside2 interface

1. Click Routing and Static Route
2. Click Add Route

3. Select the interface as outside2
4. From the Available Network, select any-ipv4
5. Under Gateway, create or select a network object which has Allow Overrides enabled e.g. outside2_gateway in this example
6. Change the metric to 10. Keep it the same if you intend to use both the egress interfaces in ECMP zone
7. Click Ok

8. (Optional) Add additional routes if required
   a) Add a route towards the inside interface for the SNMP server

b) Another route for inside interface

9. (Optional) Add Policy based routing if required for Direct Internet Access use cases.

Configuring DHCP

1. Click DHCP >> DHCP Server
2. Select Auto-Configuration and for the Interface, select outside1 from the drop down menu.

3. Under Server, click Add to enable DHCP server on inside interface
4. For the Interface, select inside from the drop down menu
5. Click + to create a new variable for DHCP Address pool with the name dhcp_pool

6. Check the box for Enable DHCP Server and click Ok

(Optional) Configuring VPN

1. (Optional) Configure the VPN topology which is mapped to the device template. The branch device where the device template configuration will be applied is added as a spoke in the VPN topology in this step.

Configure Template Settings

1. Under Template Settings, edit Licenses to assign licenses to the devices that will be mapped to this device template
2. Check or clear the check box next to the license you want to enable or disable for the managed device.

3. Click Save and Ok
4. Edit Applied Policies and assign the policies required to be pushed to the branch devices using device template
5. For each policy type, choose a policy from the drop-down list. Only existing policies are listed.

6. Click Save
7. (Optional) Configure additional settings like General Settings, Advanced Settings or Deployment Settings
8. Click Template Parameters
9. This page shows the associated variables within the device template configuration. Review and ensure they are setup correctly

10. In the Network Object Overrides section, click Add or Remove Network Object Overrides
11. In the Add Network Object Overrides window, choose the network objects for which you want to create network object overrides from the Available Networks window and click the > button

12. Click Save
13. Click Model Mapping

📘

Note

Model Mapping (Interface mapping) maps the Template interfaces to Target FTD interfaces or available FTD model interfaces.

14. Click Add Model Mapping
15. Choose the Device Model from the drop-down list.
16. Map the template interfaces to the device model interfaces by choosing the interface from the Model Interface drop-down list. Alternatively, click Map Default to map the template interfaces to the device model interfaces based on the slot and port index order.

17 . Click Save. The interface mappings are listed along with the device model and mapping status on the Model Mapping window.

1. (Optional) Repeat the steps for additional hardware model mapping

1. Click Save on the top right to save the template configuration

Configure Device Registration on Branch Device

1. On the FTD CLI, configure the following command to register it to FMC

configure manager add <FMC_Public_IP> <secret_key> <NAT_ID>

e.g. configure manager add 198.18.10.1 cisco1001 cisco1001

Add a Device to the Management Center using a Registration Key and a Device Template

1. Choose Devices > Device Management

2. Click Add > Device (Wizard)

3. On the Add Device window, choose Use Registration Key to register a device using a registration key.

4. Choose a template from the Device Template drop-down list.

5. Under Device Details, configure branch FTD details like Host, Display Name, Registration key, Device Group and Unique NAT ID

📘

Note

You can skip the Host entry if you are using NAT ID for device registration.

6. Enter values for the Variables and Network object overrides.

7. Click Add Device to initiate device registration. The template configurations are applied after the device is successfully registered with the Management Center.

   

8. Navigate to Task Notifications and ensure the device template apply is successful.

9. (Optional) Click on Download Report in the task notification to review the details of device template configuration pushed to the branch device.

📘

Note

Device Templates can be used along with SN as well to onboard branch devices.

Verification

To ensure the branch device has the required configuration from the device template, follow the below steps

1. Navigate to Devices > Device Template

   

2. Edit the Branch Template

3. Click Associated Devices on the far right

   

4. Ensure the branch device is present in the table and the Sync Status and Apply Status are set to In Sync and Successfully applied the template.

   

5. If any additional changes are made to the device or the template, click Reapply Template to reapply the template to make the configuration in sync with the template.

   

📘

Note

If there is any configuration change on device or in the template after template was applied, the template association shows out of sync.

For more details, please refer to the link <https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/m_device-management-using-templates.html#concept_vwl_gdd_bbc>

Troubleshooting

1. Check the error report to know more about the failure.
2. Review the values used for variables and check for overlaps or any incompatibilities
3. Ensure that model mapping within a device template is valid

For troubleshooting device templates related issues, please refer to the following link: Device Templates Troubleshooting

Key Callouts

• Maximum of 250 device templates supported on the Management Center
• Management and diagnostic interfaces must be converged
• Not supported with multi-instance or cluster deployments
• No override support for network groups and other object types
• Templates can be applied on HA devices. However, application of device templates during HA device pair registration is not supported.

Additional Resources

To learn more about device-templates, please refer to the following link:

Device Management Using Templates