1. rtaccon
    December 5, 2018 @ 3:02 pm

    About the Multi-instance (at the moment) it”s ONLY available for Cisco Firepower 4100/9300 (too much $) will this feature be available on a Cisco ASA 5508 (as currently available a license with up 5 multiple context) ?
    As the ASA5505 will be EoS cause will not support FTD version 6.3 do you know if a new “soho” Cisco Firepower applicance will be available or the Cisco ASA 5508 will be the new entry level device for FTD ?
    Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)


    • lammle
      December 5, 2018 @ 6:16 pm

      It will be eventually available on the 5500x but remember it’s not contexts but instances. That means each image gets its own CPU and memory. They can have a shared port, for example a port going to the internet, but that’s it, they are all very much separated services!


      • kaisero
        December 7, 2018 @ 11:56 am

        “It will be eventually available on the 5500x” – Are you really sure about that Todd? IMO multi-instance will be something that will be limited to FPR2100/4100/9300 since it is built on top of FX-OS hence there is a certain dependency. Combine that with the amount of resources required for multi-instance I think it will not be available on the old 5500-X series, which will probably be EOLED in a few years.


        • lammle
          December 7, 2018 @ 12:01 pm

          I had heard that the 5500x will get it, but we’ll see
          they are all already EOL…but they can run a pure FTD image for a long time, so they might get it, we’ll see…but I don’t recommend running it on those for the reason you state


  2. Colin Higgins
    December 6, 2018 @ 8:27 am

    We have 16 firewalls split among two FMC appliances. Even with administering only 8 firewalls (FTDs and ASAs with Firepower), the system is extremely slow and sluggish. I can’t imagine trying to add multi-instance to this, or user-based access control.

    The problem is largely with Java and the underlying system. Will Cisco ever go to HTML 5 in order to clean up FMC?


    • lammle
      December 6, 2018 @ 3:10 pm

      Yes, make sure you have 16 Gig or RAM if you’re vFMC….if you have 2500 or 4500 that’s the best you get
      6.2.3 code should be your minimum code, if you’re not running that, it will be slower than need be.


  3. Abbaszadeh
    December 6, 2018 @ 2:01 pm

    Thanks for your attention.


  4. Rob
    December 15, 2018 @ 8:47 pm

    Thanks for the write up… obviously the upgrade path is FMC then FTD… I’m curious if some of these features are available if you are only running 6.3 FMC and say 6.2.3.x for the FTD. Also, since the 5506s are no longer support beyond 6.2, will some of the administrative features available in 6.3 work for those devices? Namely the syslog configuration and the Contextual Cross-launch?


    • lammle
      December 16, 2018 @ 9:06 am

      I run 6.3 FMC and 6.2.3 for FTD devices at a lot of customers right now – works great. Yes, you lose some features like FQDN but not Syslog…no problems so far and I have done about 40 devices in the last 1.5 weeks…thanks for writing!


  5. Stefan
    January 18, 2019 @ 6:51 am

    Hi Todd, thanks for the write up.

    Regarding the multi-instance.. do you know how many instances are supported on the 4100 appliances ?
    -can’t seem to find the info in release notes.

    Kind regards


    • lammle
      January 18, 2019 @ 7:48 am

      Hi Stefan. Yes, you can get as many instances as you have cores. Each instance takes 8 cores, so depending on the model and cores you have will determine that amount
      however, they are coming out with 4115, 4125, 4145 and 4155 soon and it will double the amount of cores!


  6. Sammy
    January 23, 2019 @ 12:23 pm

    Thanks Tod for new updates. Is it safe to upgrade FTD to 6.3? Is it stable ?


    • lammle
      January 23, 2019 @ 12:53 pm

      Very! I highly recommend it!
      I’ve had 5 classes with it and most of my customers use it now too.


  7. shahad
    May 28, 2019 @ 4:15 am

    Hi Lammle, IAB and AAB are not enabled by default in FTD 6.3. no mention for that in release notes, also in the configuration guides its clearly stated that AAB is not enabled by default however your screen shots shows enabled:

    “By default the AAB is disabled; to enable AAB follow the steps described.
    AAB activates when an excessive amount of time is spent processing a single packet. AAB activation partially restarts the Snort process, which temporarily interrupts the inspection of a few packets. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information”


    “Not all deployments require IAB, and those that do might use it in a limited fashion. Do not enable IAB unless you have expert knowledge of your network traffic, especially application traffic, and system performance, including the causes of predictable performance issues. Before you run IABin bypass mode, make sure that trusting the specified traffic does not expose you to risk.”

    is it possible to adjust this information so its not misleading anyone. Thank you for your valuable contributions


    • lammle
      May 28, 2019 @ 7:05 am

      yes, this is correct, Shahad, I believe I wrote that because it was supposed to be on by default, but they are not. AAB should be on by default, but even with 6.4 it still is not!
      Thanks for posting!


  8. Skjalg
    July 29, 2019 @ 6:28 am

    Quick question regarding throughput and multi instance.

    I’m currently setting up a 2 instance deployment on the 4110’s, on 10 Core and one 12 Core instance, and as far as I can tell I’m getting half the announced IPS throughput with empty ACP and default balanced security and connectivity.

    To verify I assigned one instance with all 22 cores and I get maximum 5Gb/s throughput with all snort processes @ 100%

    Does enabling multi instance actually cut my IPS througput in half? or am I doing it wrong?

    Cant find anything about this particular aspect of multi instance anywhere.


    • Todd Lammle
      July 29, 2019 @ 9:09 am

      it can cut it in half, what is your IPS policy set at, meaning do you have a default set?
      that’s a little high on the latency though regardless


      • Skjalg
        August 1, 2019 @ 2:59 am

        I just went with default balanced security and connectivity, and followed the best practices in the “Essential Firepower” book by Alex Tatistcheff. Enabled inline normalization in the NAP.

        I actually found some info about this in BRKSEC-3035 by cisco live on-demand by Andrew Ossipov.


        In the slide deck he tells us how to calculate the throughput based on number of cores and whitepaper numbers.

        • Maximum container instance throughput is proportional to CPU core count
        • Step 1: Obtain maximum native instance (full cores) throughput from data sheet
        • Step 2: Divide figure from Step 1 by native Snort cores
        • Step 3: Multiply figure in Step 2 by Snort cores for instance size

        Which, in my case for a 12 core instance results in (11Gbs / 12 Native Snort Cores) * 6 Instance Snort Cores = 5,5 Gb/s

        I get only half that with 2,3 Gb/s. Which I find weird as single flow tests gives me 700+ Mb/s.

        TAC justs says its not viable to test throughput and links to a Cisco live session describing how hard it is to do real tests on these types of devices, and I agree its not trivial if you want to really test.

        But I would think that filling up the Snort Cores with X amount of large flows like iPerf sessions/SMB filetransfers/web downloads/etc from multiple machines would get us close to the maximum.


        • atatistcheff
          August 1, 2019 @ 12:29 pm

          There are a number of factors that enter in when determining FTD performance. On the Snort side the major features are:

          Base (AVC)
          Threat (IPS)
          Malware (AMP)
          SSL Decryption

          Enabling some or all of these will have a massive impact on the throughput of the device. According to Cisco, your FP4110 will be hammered at 100% if you push 4Gbps with Base, Threat and Malware enabled. Remove Malware and you’re still at 60% so you can see this one feature has a pretty major impact. We won’t even talk about SSL Decryption…

          That being said, Docker architecture of multi-instance doesn’t introduce any more overhead on the Snort processes. However, you will lose 2 CPU cores to management with each instance. Because of this, your total multi-instance throughput won’t add up to the native device throughput. This gets worse with smaller devices (the 4110 being the smallest device that supports multi-instance) and with more instances.

          To compare apples to apples you should use the “show snort instance” command from the CLI of your device. This is the FTD management IP assigned to the logical device/instance. This will tell you how many CPU cores are dedicated to Snort in that device. You can then have some idea what throughput you can expect.

          Note that the CPU cores in an instance should be:
          2 cores for overhead
          50% cores for ASA
          50% cores for Snort

          Check this out and verify it’s what you’re seeing.


          • Todd Lammle
            August 1, 2019 @ 1:13 pm

            Great answer, Alex! thank you!

          • Skjalg
            August 2, 2019 @ 4:58 am

            Thank you!

            Good and detailed answer that confirms most of what I have learned so far. Really appreciate you guys taking the time to answer some random guys questions on the Internet.

            I did not intend to create a “support thread” here, just to ask a quick question that I could not find good answers to anywhere else… I just hate not knowing exactly how things work and can’t let stuff go until I do…

            I am curious though where do you get the 4 Gbps limit with Base, Threat and Malware?

            From the official data sheet I get Throughput: FW + AVC + IPS (1024B) 11 Gbps, Can’t find the numbers for FW + AVC + IPS + AMP

            I can confirm that with 12 cores assigned to the instance I have 6 Snort instances available

            which does not add up to 2 cores management, 5 cores LINA, 5 cores Snort?

            > show snort instances
            Total number of instances available – 6

            | INSTANCE | PID |
            | 1 | 25233 |
            | 2 | 25234 |
            | 3 | 25235 |
            | 4 | 25236 |
            | 5 | 25237 |
            | 6 | 25238 |

          • atatistcheff
            August 2, 2019 @ 8:11 am

            The 4Gbps number comes from the Performance Estimator. It’s a tool that’s internally available at Cisco and designed primarily for pre-sales to get a good idea of what devices to scope for a particular use-case.

            That’s interesting that you got 6 Snort cores out of a 12 core instance. That’s a good thing! I haven’t tested this myself but was going from some early training on multi-instance. It’s possible this was changed or my info wasn’t 100% accurate. I have noticed the two management cores when setting up logical devices on a FP9300. For example a SM-44 which has 88 cores shows 86 usable when you start assigning cores to instances.

            Happy Snorting!

Leave a Reply

Your email address will not be published. Required fields are marked *