Building a Cisco Firepower Threat Defense (FTD) + Firepower Management Center (FMC) lab on EVE-NG is one of the highest-ROI things you can do as a network security engineer. It gives you a production-realistic environment to practice firewall policies, NAT, VPN, and IPS — all on commodity hardware.
This guide walks through every step: hardware requirements, image import, FTD/FMC bootstrapping, device registration, and deploying your first access control policy with NAT.
Hardware Requirements
FMC is a resource hog — it needs 28GB RAM minimum (Cisco enforced; it won't boot with less). Here's what you need:
| Component | Minimum | Recommended |
|---|---|---|
| RAM | 32GB | 64GB |
| CPU | 8 cores (VT-x/AMD-V) | 16 cores |
| Storage | 200GB SSD free | 500GB NVMe |
| EVE-NG | Community 5.0+ | Pro 5.0+ |
| OS | Ubuntu 20.04 bare metal | Bare metal |
Why so much RAM? FMCv = 28GB, each FTDv = 8GB. Add a management workstation and a couple of routers for traffic generation, and 32GB is tight for a single FTD setup. With 64GB you can run FMC + 2× FTD + supporting infrastructure comfortably.
Getting the Images
Download from Cisco Software Downloads (requires Cisco.com account with Smart Account or service contract):
| Image | Filename Pattern | Size |
|---|---|---|
| FTDv | Cisco_Secure_Firewall_Threat_Defense_Virtual-7.2.x-xxx.qcow2 |
~1.5GB |
| FMCv | Cisco_Secure_Firewall_Management_Center_Virtual-7.2.x-xxx.qcow2 |
~5GB |
Grab the qcow2 versions directly. If you only have VMDK/OVA:
# Extract from OVA if needed
tar xvf Cisco_Secure_Firewall_Threat_Defense_Virtual-7.2.1-40.tar.gz
# Convert VMDK → qcow2
/opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 \
ftdv-7.2.1-disk1.vmdk \
virtioa.qcow2
Importing into EVE-NG
SSH into your EVE-NG server:
# Create image directories (naming convention matters)
mkdir -p /opt/unetlab/addons/qemu/ftd7-FTD-7.2.1-40
mkdir -p /opt/unetlab/addons/qemu/fmc7-FMC-7.2.1-40
# Upload images — MUST be named virtioa.qcow2
scp FTDv-7.2.1-40.qcow2 \
root@eve-ng:/opt/unetlab/addons/qemu/ftd7-FTD-7.2.1-40/virtioa.qcow2
scp FMCv-7.2.1-40.qcow2 \
root@eve-ng:/opt/unetlab/addons/qemu/fmc7-FMC-7.2.1-40/virtioa.qcow2
# Fix permissions (run after every image import)
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
Critical: The image must be named virtioa.qcow2 inside its directory. EVE-NG silently ignores anything else.
Lab Topology
[Outside Router] --- [FTD Outside] --- [FTD] --- [FTD Inside] --- [Inside Hosts]
|
+--- [FTD DMZ] --- [DMZ Server]
[Management Net] --- [FMC] --- [FTD Management]
Create FTD Node
In EVE-NG web GUI → Add Node → Cisco FTD 7:
- CPU: 4 vCPUs
- RAM: 8192 MB
- Interfaces: 4 (Mgmt0/0, Gi0/0, Gi0/1, Gi0/2)
- Connect: Mgmt0/0 → management net, Gi0/0 → outside, Gi0/1 → inside, Gi0/2 → DMZ
Create FMC Node
Add Node → Cisco FMC 7:
- CPU: 4 vCPUs
- RAM: 28672 MB (28GB — non-negotiable)
- Interfaces: 1 (Management)
- Connect: Management → same network as FTD mgmt
⏳ FMC takes 15-20 minutes to boot on first launch. Don't panic if it looks stuck — it's initializing its database.
Bootstrapping FTD
After boot, connect via console. FTD presents an EULA + setup wizard:
You must accept the terms to continue. [y/n] y
Enter new password: ********
Confirm new password: ********
Configure IPv4 via DHCP or manually? manual
IPv4 address: 10.10.10.2
Netmask: 255.255.255.0
Default gateway: 10.10.10.1
Hostname: FTD-LAB
DNS: 8.8.8.8
Search domain: lab.local
Verify management connectivity:
> show network
===============[ System Information ]===============
Hostname : FTD-LAB
IPv4 Address : 10.10.10.2
IPv4 Gateway : 10.10.10.1
> ping 10.10.10.3
64 bytes from 10.10.10.3: icmp_seq=1 ttl=64 time=0.843 ms
Deploying FMC
Boot FMC, go through similar setup wizard (IP: 10.10.10.3). After "System is ready" appears in console, access the GUI:
https://10.10.10.3
The dashboard takes 5-10 minutes to fully populate on first access.
Registering FTD to FMC
This is the step most guides gloss over. Registration requires matching credentials on both sides.
On FTD CLI:
> configure manager add 10.10.10.3 MyRegKey123
Manager successfully configured.
In FMC GUI:
- Devices → Device Management → Add → Device
- Host:
10.10.10.2 - Registration Key:
MyRegKey123(must match) - Access Control Policy: Create new → "Lab-ACP"
- Licensing: Evaluation mode (90-day)
- Click Register
Registration takes 3-5 minutes. Monitor progress at System → Monitoring → Task Status.
Verify from FTD:
> show managers
Host : 10.10.10.3
Registration : completed
Your First Access Control Policy
Create Security Zones
Objects → Object Management → Security Zones:
| Zone | Type | Purpose |
|---|---|---|
| INSIDE | Routed | Trusted internal |
| OUTSIDE | Routed | Untrusted internet |
| DMZ | Routed | Semi-trusted servers |
Assign Interfaces
Devices → Device Management → [FTD-LAB] → Interfaces:
| Interface | Name | Zone | IP |
|---|---|---|---|
| Gi0/0 | outside | OUTSIDE | DHCP or static |
| Gi0/1 | inside | INSIDE | 192.168.1.1/24 |
| Gi0/2 | dmz | DMZ | 172.16.1.1/24 |
Create ACL Rules
Policies → Access Control → Lab-ACP:
| Rule | Source Zone | Dest Zone | Action | Logging |
|---|---|---|---|---|
| Inside-to-Outside | INSIDE | OUTSIDE | Allow | End |
| Inside-to-DMZ | INSIDE | DMZ | Allow | End |
| Outside-to-DMZ-Web | OUTSIDE | DMZ | Allow (HTTP/S) | Begin+End |
| Default-Deny | Any | Any | Block | Begin |
Configure NAT
Devices → NAT → New Policy:
# Dynamic PAT: inside → outside
Type: Dynamic
Source: INSIDE → OUTSIDE
Original: 192.168.1.0/24
Translated: Interface (outside IP)
# Static NAT: DMZ web server
Type: Static
Source: DMZ → OUTSIDE
Original: 172.16.1.10
Translated: 203.0.113.10
Deploy
Click Deploy → select FTD → Deploy. Wait 2-3 minutes.
Verify:
> show access-control-config
===================[ Lab-ACP ]====================
Default Action : Block
-------[ Rule: Inside-to-Outside ]-------
Action : Allow
Source Zones : INSIDE
Dest Zones : OUTSIDE
What to Practice Next
With your base lab running, expand into these areas:
- IPS/IDS — Snort 3 intrusion policies attached to ACL rules
- Site-to-Site VPN — IKEv2 between FTD and an IOS router
- Remote Access VPN — AnyConnect with certificate auth
- ISE Integration — Identity-based access control
- HA Failover — Active/standby with a second FTD
- SSL Decryption — Inspect encrypted traffic
FAQ
How much RAM for FTD + FMC on EVE-NG?
32GB minimum (FMC=28GB + FTD=8GB). 64GB recommended for 2× FTD.
Can I use FTD without FMC?
Yes — FDM (Firepower Device Manager) works for single-device management. But FMC-managed FTD is what matters for production and certification.
What FTD version?
Use 7.2.x or later for the best feature coverage and documentation.
The original version of this article was published on FirstPassLab.
Disclosure: This article was adapted from FirstPassLab content with AI assistance for formatting and editing.
Top comments (0)