How To Make Your Cisco Virtual FMC Drastically Faster!
I have a LOT of customers that use the virtual FMC with their Firepower or Firepower Threat Defense (FTD) implementations. Sure, why not, they are very inexpensive!
When an IPS Event occurs, all IPS analyzed packets from that event go through your devices are transferred to the FMC by default (and you really want this for analysis!), you need to make sure your FMC is beefy if you have multiple managed devices.
I also recommend to my clients that if they have managed devices over a slower serial link, for example, they disable the transfer packets option for that device(s). Since theoretically you can have 25 managed devices in a vFMC, you need to manage this correctly.
Your first option for getting some serious response on your FMC is to buy a hardware based FMC…hey, if you can afford 4100 or 9300 devices then buy a pair of 2500/4500 FMC’s for crying-out-loud!
Since most people cannot afford the price tag of the higher end appliances, let alone the hardware FMC’s, the vFMC is the most used and most popular FMC. That said, just a couple tweaks and you’ll be drastically faster.
First, understand the the virtual FMC uses the e1000 (1Gbit/s) interfaces, so you can replace the default interfaces with vmxnet3 (10 Gbit/s) interfaces. Also, you can use VMware Tools to improve the performance, but you probably already do these…so what really helps?
Secondly, and most importantly here, you can really up the memory and vCPU’s now, so let’s max that baby out at 8 CPU’s (from the default of 4). Also, 12 Gigs of RAM works rather well, but 16 Gigs would be great! Yes, this will be a drastic improvement on response time, in-depth analysis, and reporting!
Now that we have a more robust FMC, let’s do something with it! A vFMC defaults to 1M connection events, which is really nothing in today’s networks. Before 6.1 you could change this to 10M events, which was great, but starting with 6.1 we can now store 49 Million Connection Events, which give us great connection event search capability! With a hardware based FMC this goes up even more, but with our newly tweaked vFMC, we’re golden!