How To Make Your Cisco Virtual FMC Drastically Faster!

14

I have a LOT of customers that use the virtual FMC with their Firepower or Firepower Threat Defense (FTD) implementations. Sure, why not, they are very inexpensive!

When an IPS Event occurs, all IPS analyzed packets from that event go through your devices are transferred to the FMC by default (and you really want this for analysis!), you need to make sure your FMC is beefy if you have multiple managed devices.

I also recommend to my clients that if they have managed devices over a slower serial link, for example, they disable the transfer packets option for that device(s). Since theoretically you can have 25 managed devices in a vFMC, you need to manage this correctly.

Your first option for getting some serious response on your FMC is to buy a hardware based FMC…hey, if you can afford 4100 or 9300 devices then buy a pair of 2500/4500 FMC’s for crying-out-loud!

Since most people cannot afford the price tag of the higher end appliances, let alone the hardware FMC’s, the vFMC is the most used and most popular FMC. That said, just a couple tweaks and you’ll be drastically faster.

First, understand the the virtual FMC uses the e1000 (1Gbit/s) interfaces, so you can replace the default interfaces with vmxnet3 (10 Gbit/s) interfaces. Also, you can use VMware Tools to improve the performance, but you probably already do these…so what really helps?

Secondly, and most importantly here, you can really up the memory and vCPU’s now, so let’s max that baby out at 8 CPU’s (from the default of 4). Also, 12 Gigs of RAM works rather well, but 16 Gigs would be great! Yes, this will be a drastic improvement on response time, in-depth analysis, and reporting!

Now that we have a more robust FMC, let’s do something with it! A vFMC defaults to 1M connection events, which is really nothing in today’s networks. Before 6.1 you could change this to 10M events, which was great, but starting with 6.1 we can now store 49 Million Connection Events, which give us great connection event search capability! With a hardware based FMC this goes up even more, but with our newly tweaked vFMC, we’re golden!

Cool!

14 Comments

  1. I like the һelpful info you proѵide in your articles.
    I will boߋkmark your weblog and check agаin here frequently.

    I am qᥙite certain I’ll learn many new stuff right here!
    Good luck for tһe next!

    1. I have not had any issues with VMware tools or installing the tools….however, I am not a VMWare experts so I don’t have a guide. I can just tell you my experience with this…
      thanks for writing!

  2. HI Todd,

    you have mentioned about the option of increasing the RAM of the FMCv to enhance the performance.
    Can we increase the RAM of the Virtual Machine( after the FMCv is build on it), I mean does it take into effect by FMCv ?
    Can you please share the steps to increase the RAM, if you have. thank you :)

  3. Hi Todd,
    we are using 2 * vFMC with 8 FTD (2130) in a LAB just now before moving them into Production. If we lose the vFMC how would you recommend moving my FTDs to the other vFMC. They are totally separate entity’s as HA is not supported in the vFMC’s. Cisco TAC tell me that backups/snapshots/Veeam is not supported for the virtual FMCs. I’m kind of stumped at the minute. A manual build after re-registering would take me days.
    Love reading your tips n tricks. Must join your classes.
    Regards

    1. With any FMC you need to back those up daily, and make sure and move the backup off the FMC. Unless you have a hardware FMC, you cannot have HA.
      if you lose your vFMC, then you need to build a brand new one with the same code, snort version, and VBD, and then bring the devices is.
      The FTD’s do not lose their configuration and would bring in their IPs. It will take you an hour to do it all, but not two days!! :)
      I cover this is my classes and videos
      thank you!
      Todd Lammle

    1. You need vcenter to run the virtual devices and the FMC would need 8, but it would run very slow, but the FTD’s can take as little as 4

Leave a Reply

Your email address will not be published. Required fields are marked *