https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897115#M1103150 <P>Aasume you have upload 100 and download 500 and you want to give 25% to VoIP&nbsp;</P> <P>So you can try add to QoS policy&nbsp;</P> <P>One for app VoIP give it 25 and 125&nbsp;</P> <P>And other for any IP give 75 and 375.</P> <P>I am not sure it work but I dont think fpr have QoS like router and SW.</P> Tue, 01 Aug 2023 17:16:04 GMT MHM Cisco World 2023-08-01T17:16:04Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896421#M1103122 <P>Is there a way to rate limit the traffic generated by the FTD itself?&nbsp;&nbsp;Example: if VoIP is going through the Firewall, can we prioritize VoIP over the events traffic generated by the FTD itself?</P> <P>I'm familiar with the QoS feature of FTD which permit basic rate limitation by assigning maximum throughput on user traffic.&nbsp; Is there a way we could use the FTD QoS feature to limit the outbound traffic a FTD is sending to the FMC, by, example limiting the traffic to FMC TCP/8305?</P> <P>Or is the FTD like the ASA: It filters user traffic, but not the traffic generated by the FTD itself?</P> <P>Thanks.</P> Mon, 31 Jul 2023 23:14:08 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896421#M1103122 cpaquet 2023-07-31T23:14:08Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896432#M1103123 <P>Hello,</P> <P>The feature you mean would be Control Plane Policing (CoPP), that is something that does exist on Cisco IOS, but it is not relevant to FTD.</P> <P>The FTD has build-in control to protect it's control plane, the QoS rate limit you mean would affect the data plane.</P> Tue, 01 Aug 2023 00:27:22 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896432#M1103123 rhingel 2023-08-01T00:27:22Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896974#M1103139 <P>Could you expand on the built-in control plane mechanisms in FTD to prevent overloading the system?</P> <P>A more drastic approach, which would not be useful, but does provide strict control-plane control is using FlexConfig with the access-group xxxx&nbsp; control-plane command.&nbsp;</P> Tue, 01 Aug 2023 13:44:57 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896974#M1103139 cpaquet 2023-08-01T13:44:57Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896981#M1103140 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/291184">@cpaquet</a> I am not aware of rate-limiting availability on the FTD control plane, but if you used a dedicated management interface instead of a data interface for communication to/from the FMC, then that management event traffic would be isolated.</P> Tue, 01 Aug 2023 13:51:04 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896981#M1103140 Rob Ingram 2023-08-01T13:51:04Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896983#M1103141 <P>I am trying to think of an use case where you need to rate-limit the communication between the FTD and FMC, can you ellaborate on your requirement?</P> Tue, 01 Aug 2023 13:53:47 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896983#M1103141 rhingel 2023-08-01T13:53:47Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896989#M1103142 <P>Hi'&nbsp;</P> <P>There are two QoS'</P> <P>QoS of VoIP pass through FTD which applies to interface&nbsp;</P> <P>But how QoS of VoIP generate from FTD itself? That you need to elaborate.</P> <P>Thanks&nbsp;</P> <P>MHM</P> Tue, 01 Aug 2023 14:04:16 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4896989#M1103142 MHM Cisco World 2023-08-01T14:04:16Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897098#M1103148 <P>Example: In a data center (clustering, LISP, etc), where you are doing extension FTD logging to the FMC, but also you have multiple critical user applications.&nbsp; How would you configured the FTD to give precedence to user applications if there is contation for the bandwidht?&nbsp; Thus the possible need to throttling the FTD 'self-traffic'.</P> Tue, 01 Aug 2023 16:56:42 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897098#M1103148 cpaquet 2023-08-01T16:56:42Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897099#M1103149 <P>Good point.&nbsp; Thanks.</P> Tue, 01 Aug 2023 16:57:09 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897099#M1103149 cpaquet 2023-08-01T16:57:09Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897115#M1103150 <P>Aasume you have upload 100 and download 500 and you want to give 25% to VoIP&nbsp;</P> <P>So you can try add to QoS policy&nbsp;</P> <P>One for app VoIP give it 25 and 125&nbsp;</P> <P>And other for any IP give 75 and 375.</P> <P>I am not sure it work but I dont think fpr have QoS like router and SW.</P> Tue, 01 Aug 2023 17:16:04 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897115#M1103150 MHM Cisco World 2023-08-01T17:16:04Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897131#M1103151 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/291184">@cpaquet</a>&nbsp;wrote:<BR /> <P>Example: In a data center (clustering, LISP, etc), where you are doing extension FTD logging to the FMC</P> <HR /></BLOCKQUOTE> <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/291184">@cpaquet</a> you can rate limit syslog traffic, this can be configured via platform settings policy and deployed to the managed FTD. <A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html#toc-hId--41694258" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html#toc-hId--41694258</A></P> <P>I believe QoS will only apply to traffic "through" the FTD, not "to" (traffic to/from the FTD itself).</P> Tue, 01 Aug 2023 17:37:59 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897131#M1103151 Rob Ingram 2023-08-01T17:37:59Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897137#M1103152 <P>He is confused about data pass or initiate from FTD. I think meaning pass through ftd so he need qos policy.</P> Tue, 01 Aug 2023 17:47:38 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897137#M1103152 MHM Cisco World 2023-08-01T17:47:38Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897234#M1103158 <P>Hi Rob, excellent suggestion to use syslog rate limit, if throttling for FTD 'self-traffic' is not available.</P> Tue, 01 Aug 2023 20:48:24 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897234#M1103158 cpaquet 2023-08-01T20:48:24Z https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897235#M1103159 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a>&nbsp;: Rob is not confused.&nbsp; He understand perfectly my original question which is: how can we throttling the traffic generated by FTD itself. This is considered traffic 'to/from' the firewall, and not traffic through the firewall.</P> Tue, 01 Aug 2023 20:51:58 GMT https://community.cisco.com/t5/network-security/rate-limiting-ftd-s-own-traffic/m-p/4897235#M1103159 cpaquet 2023-08-01T20:51:58Z