Building a Cisco FTD and FMC lab on EVE-NG gives you a free, fully functional environment to practice the firewall configuration that makes up roughly 40% of the CCIE Security v6.1 lab exam. This guide walks you through every step — from importing qcow2 images to deploying your first access control policy with NAT rules.
Key Takeaway: FTD/FMC hands-on practice is non-negotiable for CCIE Security candidates, and EVE-NG provides the most cost-effective way to build a production-realistic lab environment on commodity hardware.
What Hardware Do You Need for a Cisco FTD/FMC Lab?
A functional FTD/FMC lab requires significant resources because FMC alone demands 28GB of RAM. According to the EVE-NG documentation (2026), the system requirements scale with the number of concurrent nodes running.
Here is the minimum hardware breakdown:
| Component | Minimum | Recommended |
|---|---|---|
| RAM | 32GB | 64GB |
| CPU | 8 cores (Intel VT-x/AMD-V) | 16 cores |
| Storage | 200GB SSD free | 500GB NVMe |
| EVE-NG Version | Community 5.0+ | Pro 5.0+ |
| Hypervisor | Bare metal Ubuntu 20.04 | Bare metal (best performance) |
Why so much RAM? FMCv requires 28GB allocated (Cisco minimum — it will not boot with less), and each FTDv needs 8GB. Add a management workstation VM and a couple of routers for traffic generation, and 32GB is tight for a single FTD. With 64GB, you can comfortably run FMC + 2 FTDs + supporting infrastructure.
If you already have EVE-NG running for SD-WAN labs, you can add FTD/FMC nodes to your existing environment — just verify you have enough free RAM.
How Do You Obtain Cisco FTDv and FMCv Images?
Download the virtual images from Cisco Software Downloads. You need a valid Cisco.com account with either:
- An active Smart Account with evaluation licenses
- A service contract that covers virtual security products
- A DevNet sandbox account (limited access)
Images to Download
| Image | Filename Pattern | Size |
|---|---|---|
| FTDv | Cisco_Secure_Firewall_Threat_Defense_Virtual-7.2.x-xxx.qcow2 | ~1.5GB |
| FMCv | Cisco_Secure_Firewall_Management_Center_Virtual-7.2.x-xxx.qcow2 | ~5GB |
Download the qcow2 versions directly — these are ready for EVE-NG without conversion. If you only have VMDK files (OVA/OVF packages), you will need to convert them:
# Extract qcow2 from OVA if needed
tar xvf Cisco_Secure_Firewall_Threat_Defense_Virtual-7.2.1-40.tar.gz
# Convert VMDK to qcow2 (only if you have VMDK format)
/opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 \
ftdv-7.2.1-disk1.vmdk \
virtioa.qcow2
How Do You Import FTD and FMC Images into EVE-NG?
SSH into your EVE-NG server and create the correct directory structure. According to the EVE-NG documentation (2026), image folder naming follows a strict convention.
Step 1: Create Image Directories
# FTD image directory
mkdir -p /opt/unetlab/addons/qemu/ftd7-FTD-7.2.1-40
# FMC image directory
mkdir -p /opt/unetlab/addons/qemu/fmc7-FMC-7.2.1-40
The directory naming convention matters:
- FTD:
ftd7-prefix tells EVE-NG this is a Firepower 7.x FTD node - FMC:
fmc7-prefix identifies it as a Firepower 7.x Management Center
Step 2: Upload and Rename Images
Use SCP, FileZilla, or WinSCP to upload the qcow2 files:
# Upload FTD image and rename to virtioa.qcow2
scp Cisco_Secure_Firewall_Threat_Defense_Virtual-7.2.1-40.qcow2 \
root@eve-ng:/opt/unetlab/addons/qemu/ftd7-FTD-7.2.1-40/virtioa.qcow2
# Upload FMC image and rename to virtioa.qcow2
scp Cisco_Secure_Firewall_Management_Center_Virtual-7.2.1-40.qcow2 \
root@eve-ng:/opt/unetlab/addons/qemu/fmc7-FMC-7.2.1-40/virtioa.qcow2
Critical: The image must be named virtioa.qcow2 inside the directory. EVE-NG will not recognize it otherwise.
Step 3: Fix Permissions
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
This command sets the correct ownership and permissions on all EVE-NG lab files. Run it after every image import.
How Do You Create the Lab Topology in EVE-NG?
Build a topology with an inside network, outside network, and DMZ — this mirrors real-world deployment and the CCIE Security lab topology.
Target Topology
[Internet/Outside Router] --- [FTD Outside] --- [FTD] --- [FTD Inside] --- [Inside Switch/Hosts]
|
+--- [FTD DMZ] --- [DMZ Server]
[Management Network] --- [FMC] --- [FTD Management]
Step 4: Create FTD Node
In EVE-NG web GUI:
Right-click the canvas → Add Node
Select Cisco FTD 7 (or your uploaded template name)
Configure:
- CPU: 4 vCPUs (minimum)
- RAM: 8192 MB (8GB)
- Interfaces: 4 (Management0/0, GigabitEthernet0/0, GigabitEthernet0/1, GigabitEthernet0/2)
- Console: telnet
Connect interfaces:
- Management0/0 → Management network (same as FMC)
- GigabitEthernet0/0 → Outside network
- GigabitEthernet0/1 → Inside network
- GigabitEthernet0/2 → DMZ network
Step 5: Create FMC Node
- Add another node → Cisco FMC 7
- Configure:
- CPU: 4 vCPUs
- RAM: 28672 MB (28GB — this is Cisco’s minimum, not negotiable)
- Interfaces: 1 (Management)
- Connect the management interface to the same management network as FTD
Note: FMC takes 15-20 minutes to boot fully on first launch. Do not panic if it appears stuck — it is initializing its database.
How Do You Bootstrap the FTD?
After starting the FTD node, connect via console and complete the initial setup.
Step 6: FTD Initial Configuration
On first boot, FTD presents an EULA and setup wizard:
! Accept EULA, then configure:
System initialization in progress. Please stand by.
You must accept the EULA to continue.
Press <ENTER> to display the EULA:
--MORE--
You must accept the terms to continue. [y/n] y
! Setup wizard begins:
Enter new password: ********
Confirm new password: ********
! Configure management interface:
Configure IPv4 via DHCP or manually? (dhcp/manual) [DHCP]: manual
Enter an IPv4 address for the management interface [192.168.45.45]: 10.10.10.2
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface [data-interfaces]: 10.10.10.1
Enter a fully qualified hostname for this system [firepower]: FTD-LAB
Enter a comma-separated list of DNS servers [208.67.222.222]: 8.8.8.8
Enter a comma-separated list of search domains []: lab.local
Step 7: Verify Management Connectivity
After setup completes, verify the management interface:
> show network
===============[ System Information ]===============
Hostname : FTD-LAB
Management port : 8305
IPv4 Default gw : 10.10.10.1
=================[ eth0 ]==================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autoneg
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 52:54:00:XX:XX:XX
----------------------[ IPv4 ]---------------------
Configuration : Manual
Address : 10.10.10.2
Netmask : 255.255.255.0
Gateway : 10.10.10.1
Verify you can reach FMC from FTD:
> ping 10.10.10.3
PING 10.10.10.3 (10.10.10.3) 56(84) bytes of data.
64 bytes from 10.10.10.3: icmp_seq=1 ttl=64 time=0.843 ms
How Do You Deploy and Initialize FMC?
Step 8: FMC First Boot
Start the FMC node in EVE-NG. First boot takes 15-20 minutes. Once ready, the console presents a similar setup wizard:
! FMC setup wizard:
Enter new password: ********
Confirm new password: ********
! Network configuration:
Configure IPv4 via DHCP or manually? manual
Enter an IPv4 address: 10.10.10.3
Enter the netmask: 255.255.255.0
Enter the gateway: 10.10.10.1
Enter the DNS: 8.8.8.8
Enter the hostname: FMC-LAB
Step 9: Access FMC Web GUI
After FMC finishes initializing (watch for “System is ready” in console), open a browser from your management workstation:
https://10.10.10.3
Login with the admin credentials you set during setup. The FMC dashboard takes another 5-10 minutes to fully populate on first access.
How Do You Register FTD to FMC?
This is where the magic happens. According to the Cisco Firepower Management Center Configuration Guide (2026), registration requires matching credentials on both sides.
Step 10: Configure FTD for FMC Management
On the FTD CLI:
> configure manager add 10.10.10.3 MyRegKey123
Manager successfully configured.
Where:
10.10.10.3= FMC management IPMyRegKey123= registration key (you choose this — it just needs to match on both sides)
If FMC is behind NAT (not typical in EVE-NG labs), use:
> configure manager add DONTRESOLVE MyRegKey123 MyNatID123
Verify the pending registration:
> show managers
Host : 10.10.10.3
Registration Key : ****
Registration : pending
Step 11: Add FTD in FMC GUI
In the FMC web interface:
- Navigate to Devices → Device Management
- Click Add → Device
- Enter:
- Host: 10.10.10.2 (FTD management IP)
- Registration Key: MyRegKey123 (must match FTD)
- Access Control Policy: Create new → “Lab-ACP”
- Smart Licensing: Evaluation mode (90-day eval)
- Click Register
Registration typically takes 3-5 minutes. Watch the task queue (System → Monitoring → Task Status) for progress.
How Do You Build Your First Access Control Policy?
With FTD registered, create a basic security policy with inside/outside/DMZ zones.
Step 12: Create Security Zones
Navigate to Objects → Object Management → Interface Groups → Security Zones:
| Zone Name | Type | Description |
|---|---|---|
| INSIDE | Routed | Trusted internal network |
| OUTSIDE | Routed | Untrusted internet-facing |
| DMZ | Routed | Semi-trusted server zone |
Step 13: Assign Interfaces to Zones
Navigate to Devices → Device Management → [FTD-LAB] → Interfaces:
| Interface | Name | Zone | IP Address | Security Level |
|---|---|---|---|---|
| GigabitEthernet0/0 | outside | OUTSIDE | DHCP or static | 0 |
| GigabitEthernet0/1 | inside | INSIDE | 192.168.1.1/24 | 100 |
| GigabitEthernet0/2 | dmz | DMZ | 172.16.1.1/24 | 50 |
Step 14: Create Access Control Rules
Navigate to Policies → Access Control → [Lab-ACP] and add rules:
| Rule Name | Source Zone | Dest Zone | Action | Logging |
|---|---|---|---|---|
| Inside-to-Outside | INSIDE | OUTSIDE | Allow | Log at End |
| Inside-to-DMZ | INSIDE | DMZ | Allow | Log at End |
| Outside-to-DMZ-Web | OUTSIDE | DMZ | Allow (HTTP/HTTPS only) | Log at Begin & End |
| Default-Deny | Any | Any | Block | Log at Begin |
Step 15: Configure Basic NAT
Navigate to Devices → NAT and create a NAT policy:
! Dynamic PAT for inside-to-outside traffic
Type: Dynamic
Source Interface: INSIDE
Destination Interface: OUTSIDE
Original Source: Inside-Network (192.168.1.0/24)
Translated Source: Interface (outside IP)
! Static NAT for DMZ web server
Type: Static
Source Interface: DMZ
Destination Interface: OUTSIDE
Original Source: DMZ-Server (172.16.1.10)
Translated Source: 203.0.113.10 (public IP)
Step 16: Deploy Configuration
Click Deploy in the FMC toolbar → select your FTD → Deploy. Wait for the deployment to complete (typically 2-3 minutes).
Verify on FTD CLI:
> show access-control-config
===================[ Lab-ACP ]====================
Description :
Default Action : Block
-------[ Rule: Inside-to-Outside ]-------
Action : Allow
Source Zones : INSIDE
Dest Zones : OUTSIDE
...
What Should You Practice Next?
With your base lab running, expand into these CCIE Security v6.1 topics:
- IPS/IDS Policies — Create intrusion policies using Snort 3 rules and attach them to access control rules
- Site-to-Site VPN — Build an IKEv2 VPN between FTD and an IOS router
- Remote Access VPN — Configure AnyConnect RA-VPN with certificate authentication
- ISE Integration — Connect FTD to ISE for identity-based access control (requires ISE lab setup)
- High Availability — Add a second FTD and configure active/standby failover
- SSL Decryption — Set up SSL policy for inspecting encrypted traffic
For a comparison of FTD versus legacy ASA and when to use each, see our ASA vs FTD guide.
Frequently Asked Questions
How much RAM do I need to run FTD and FMC on EVE-NG?
You need at least 32GB of RAM to run one FMC (28GB allocated) and one FTD (8GB allocated) with basic lab infrastructure. For two FTDs plus FMC, 64GB is recommended.
Where do I download Cisco FTDv and FMCv images for EVE-NG?
Download FTDv and FMCv qcow2 images from Cisco Software Downloads (software.cisco.com). You need a valid Cisco.com account — a Smart Account with evaluation licenses or an active service contract.
How do I register FTD to FMC in EVE-NG?
On the FTD CLI, run configure manager add <FMC-IP> <reg-key> with a registration key you choose. Then in FMC GUI, go to Devices > Device Management > Add Device, enter the FTD IP and the same registration key.
Can I use FTD without FMC?
Yes, FTD supports local management via Firepower Device Manager (FDM) for single-device deployments. However, the CCIE Security lab requires FMC-managed FTD, so practice with FMC.
What FTD version should I use for CCIE Security v6.1 practice?
Use FTD 7.2.x or later. This version aligns with the current CCIE Security v6.1 blueprint features and is the most widely documented for lab environments.
A working FTD/FMC lab is the single most important asset for CCIE Security preparation. The exam tests real configuration under time pressure — and there is no substitute for the muscle memory you build deploying access policies, NAT rules, and VPN tunnels in a live environment.
Ready to fast-track your CCIE Security journey? Contact us on Telegram @phil66xx for a free assessment and personalized study plan that maps every FTD/FMC exam topic to hands-on lab exercises.