Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3945
Views
20
Helpful
5
Replies

Firepower FTD - Transfer Packets

jknox
Level 1
Level 1

‎11-05-2016 02:17 AM - edited ‎03-12-2019 01:29 AM

Hi,

I am hoping somebody can elaborate on the Transfer Packet feature/option when adding a device to the FMC.

The Cisco document says this option is on by default and that it the FTD device sends packet data with the events to the Firepower Management Center. So does this mean that if the FTD device has 1 Gig of data traffic transiting the device, then the device also sends a full copy of the packet payload(s) to the FMC ie the FMC effectively receives 1 Gig (ish...) of data?

The Cisco documentation does not really explain what this feature is really doing and a post from Todd Lammle (https://www.lammle.com/blog/4685/installing-cisco-firepower-important-questions-answer-start/) seem to indicate that it is sending the full payload.

I am thinking of locating the FMC in a central DC and managing multiple FTD devices at other remote sites/DC's over the Internet and I am struggling to figure out what the inbound bandwidth hit is going to be at the FMC end, especially if each FTD device is sending a full copy of the payload of every packet.

Has anybody got any experience of using the Transfer packet feature/option that they could share with me please.

Rgds

John

Labels:
0 Helpful
5 Replies 5

Oliver Kaiser
Level 7
Level 7

‎11-05-2016 08:59 AM

The Transfer Packet is used to sent packets to the FMC in case a certain event is triggered (e.g. snort detected pattern xy in packet -> send event + packet to fmc).

This option will not cause the sensor to send all traffic to FMC. Connection events will not include the actually payload but only metadata about the connection.

Let me know if this answers your question

jknox
Level 1
Level 1
In response to Oliver Kaiser

‎11-07-2016 02:23 AM

Hi Kaisero,

Thank you for the quick reply.

Your answer makes total sense and is a lot clearer than the Cisco documentation.

I take it that transfer packet option is not just used for IPS/Snort events, but is also used for malware and file control events as well?

John

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to jknox

‎11-07-2016 02:48 AM

Malware/File events only contain metadata and not the blocked/detected payload.

In case a cloud lookup yields no result(disposition = unknown/unavailable) the sensor directly uploads the file to AMP ThreatGRID for dynamic analysis in case your File Policy is correctly configured.

You can see the results of the files analyzed in ThreatGRID at Analysis > Files > Captured Files. FMC polls information from ThreatGRID and updates the information shown in the Captured Files View.

kinds regards

Oliver

#Mat
Level 6
Level 6
In response to Oliver Kaiser

‎07-18-2018 08:23 AM

Thanks kaisero.
.
0 Helpful

Rafael La Selva
Level 1
Level 1
In response to Oliver Kaiser

‎11-29-2019 06:21 AM - edited ‎11-29-2019 06:24 AM

Hello @Oliver Kaiser,

 

Is it possible to enable this option after included on FMC 6.5?

 

Best Regards,

Rafael La Selva

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card