In all my travels, I go to a whole heck of lot of customers with various Firepower gear and different FMC’s. What I have found is that most of my customers have either been oversold or undersold on the processing/storage/memory for their hardware FMC. To the sales persons defense, finding the right FMC for a large network isn’t that easy, so if they can they just sell the top most expensive 4500 (it’s the largest/fastest Cisco has and they’ll be good)! Yea, until the customer realizes they were oversold, or they find out (when someone finally configures FTD correctly), that they were sorely undersold!
The Cisco 1000, 2500 and 4500 all look about the same:
So why I am stopping my day to write this blog post? Because I have been to a lot of large schools and fortune 50 companies with FTD 4150/9300’s, which are some very powerful NGFW devices, and just in the last month, I’ve consulted in both Nevada and Ohio working at large school districts. Each of these had more internal groups with admins in each location responsible for hundreds of thousands of students, with each department having multiple 9300’s to manage. Yet somehow one of these admin groups was sold a FMC 2000, well at the same time the others were sold 2500’s and 4500’s with no rhyme or rhythm why or how each received what they did. This, unfortunately, is a common occurrence.
So, as we were working on the policies, configuration, and most importantly, the network analysis, we watched the FMC 2000 basically choke and die while the FMC 4500 just kept moving along with basically the same configurations/devices. To get the FMC 2000 working at all, we had to disable almost all logging (send to syslog/splunk). To say this admin and his boss were upset they were undersold the 2000 instead of a FMC 2500 at a minimum is an understatement, and they justly should be upset as Cisco doesn’t want to replace it for them at no cost. Is this a problem? Yes. do I see this all the time? Yes. Was the FMC 2000 EOL when sold. Yes!
So how do you get the right FMC on a budget? (Cisco Firepower and budget are mutually exclusive!). Well, you need to test it in production to find out, just like my customer did in Ohio with the FMC 2000…yikes! However, hopefully this small bullet pointed list will help you make sure you’re getting the right FMC for your network.
**BUT First, before we go on, are you even sure you bought the correct FTD’s? Well, this FMC blog will be long enough as it is, so I’ll just add a new blog post for you on how to find the FTD that’s right for you! Here it is ..and the post is much shorter, and picking an FTD is much easier than picking a FMC!
Couple quick thoughts:
- Max sensor are just that, and with my experiences, cutting Cisco’s listed number of supported devices in half is a good rule of thumb (but this will vary on FTD types and number of users, bandwidth and more).
- The EPS/FPS is the Events per second/Flow per second the FMC can handle and all-so-important! (discussed at the end of this post in order to make this even longer!)
First, I already have posted info about the vFMC here: vFMC Blog post
This is a very, very useful FMC and I have at least 20 of these spun up in my lab at any time. Cheap and easy, and you can enable the eval license for up to a year if you want to do labing (and class!). You can only have up to 25 devices, but I wouldn’t put in more than 8 pairs total in production with lower end FTD devices such as 5506/8/16’s. Once you go up to the 5525/45/55/2100, then I’d bring down the amount of devices you’re using, or upgrade to a hardware FMC. If your at FTD 4100/9300’s, just skip this section on the vFMC as it’s not for your production network at all.
- Retail Price: 2 devices $500, 25 devices $10,795 (reality: Basically Free)
- Max Sensors: 25
- IPS events: 10M
- Connection events: Up to 50M
- RAM (Up to 16G)
- Firepower: 50,000 users/50,000 hosts
- Event Storage: 250G
- EPS/FPS: depends on system (but very low in comparison)
So how do you find the maximum number of Connection Events you can store on your FMC? That’s a great question! Doesn’t seem to written down anywhere, so here is how you find out. Go to System>Configuration>Database
The default on ALL FMC’s is 1,000,000…a ridiculous small amount, and if you don’t know about this setting, you won’t even know it’s low. So, set the Maximum connection to just over a billion like so: 1,000,000,001. Click save and the system will now provide the maximum for your FMC. You can see in this screen shot, the vFMC is now at 50Million total.
What about the other settings? Although you can change the amount of IPS events stored as shown in my details of each FMC listed below, I wouldn’t change much of anything else. Be careful here. The only setting you can really safely change is the most important one: Maximum Connection Events, which is the logging of your ACP rules.
- Retail Price: $24,800.01 (reality: <$7500 each when bought in HA pairs)
- Max Sensors: 50
- IPS events: 30M
- Connection events: Up to 90 M
- RAM: 32G
- Firepower: 50,000 users/50,000 hosts
- Event Storage: 900G
- EPS/FPS: 5,000
At a list price of $63,235.00, this may make you take another look at the specs of the vFMC…
- Retail Price: $63,235.00 (reality: <$25k each when bought in HA pairs)
- Max Sensors: 300
- IPS events: 60M
- Connection events:Up to 300 M
- RAM: 64G
- Firepower: 150,000 users/ 150,000 hosts
- Event Storage: 1.8T
- EPS/FPS: 12,000
With a whopping list price of $116,804.98 you’ll really need to be a school or non-profit to afford these…and just to remind you, and make it even more real, remember that you’ll need two for HA!! (Cisco’s rep puts pinky to cheek and laughs like Austin Powers well telling you this)…
The 4150/55’s and 9300 FTD devices are the best NGFW in the industry and they can send some data! 4500’s are your only option today.
- Retail Price: $116,804.98 (reality: <>$60k each when bought in HA pairs)
- Max Sensors: 750
- IPS events: 300M
- Connection events: Up to 1B
- RAM: 128G
- Firepower: 600,000 users/ 600,000 hosts
- Event Storage: 3.2T
- EPS/FPS: 20,000
This is an all so important (I’ll keep it short) to understand subject because even with a 4500, it’s possible to overload that.
I had a customer in D.C. that had two-hundred 4150’s in 100 pairs….yes, and they paid $100 Million dollars too! Wowza! Anyway, their 4150’s sent way more data than their 4500 FMC HA pair could handle as you can imagine! Looking at the 4500 bullet points above, you can see the small amount of events this device can receive, although in reality 20k EPS is a lot!
Just like the solution on the FMC 2000 used in the above text, we offloaded ALL events to Splunk to solve this issue.
Now you can just imagine the Splunk salesman with his pinky to his cheek, can’t you? I think they all have their pinkly glued to their faces now that I think about it…