08 Aug

Cisco Firepower NGIPSv on ESXi

Cisco Firepower NGIPS is available on multiple platforms. One of deployment option you have is virtual appliance running on top of ESXi hypervisor. This product is called NGIPSv in Cisco documentation.

Using a single physical machine with ESXi hypervisor in an isolated network is one of the best ways to perform Proof of Concept (PoC) labs for IPS solution. You cannot evaluate the product without testing it in a sandbox where you can try to hack it, infect it or do any other nasty things. This way, you can in single ESXi run NGIPSv, Firepower Management Center (FMCv) and one or more VMs in the back.

Here is a quick step-by-step guide how to deploy NGIPSv in transparent mode on single ESXi host. What we want to accomplish is having NGIPSv in front of other virtual machines. In this scenario, there is no firewall, just NGIPSv sensor. It is of course not the safest, the best practice and the most flexible way to deploy sensor. You should not use it just like that in your production network. I use this setup only for quick demo purposes when I want to show how Cisco Firepower NGIPS solution is working, get network discovery working, some IPS policy and get the end host infected by malware.

ESXi configuration

  1. Create two vSwitches – their names will be vSwitch0 and vSwitch1
  2. Assign nic0 to vSwitch0, don’t assign any NIC to vSwitch1
  3. Create Management Network with no tagging on vSwitch0. I will call it VM Network
  4. (optional) Create the second network with no tagging on vSwitch0, my name for this one is Management Network
  5. Create one network on vSwitch1, I will call it Internal.
  6. Enable promiscuous mode on all groups

The final networking configuration of two vSwitches will look as below

vSwitch0 Configuration

vSwitch0 Configuration

vSwitch1 Configuration

vSwitch1 Configuration

Firepower NGIPSv

  1. Install NGIPSv
  2. Assign the first interface to VM Network group, this interface is eth0 in the sensor and will be used for management, assign IP address from subnet assigned to this group
  3. Assign the second interface to Internal group from vSwitch1, don’t assign any IP addresses
  4. Assign the third interface to VM Network group, don’t assign any IP addresses


User host

  1. Create VM with end user host
  2. Assign network interface to the Internal group from vSwitch1 and assign an address from subnet assigned to VM Network group. Yes, that is not a mistake, remember that NGIPSv will work in transparent mode
  3. Configure proper routing and other network settings


Firepower Management Center

  1. Install FMCv – it is management console. You will not be able to set sensors without it
  2. Assing FMCv interface of VM Network group and assign IP address for subnet assigned to this group
  3. Add NGIPSv sensor and assign licenses
  4. Create policy with network discovery and any other features you desire
  5. Create Inline Set between interfaces eth1 and eth2 on sensor
  6. Deploy policy

If you did everything properly your end user device will now have access to the Internet and is protected by NGIPSv. Well done!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: