Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2661
Views
0
Helpful
8
Replies

About instances in the FTD

Go to solution
m1xed0s
Spotlight
Spotlight

‎05-11-2021 12:45 PM

First, I would like to say I hate the same word been re-used to represent different thing/features within the same product line...

 

I understand there is the multi-instance feature provided by 4k/9k FTDs which I belive is considered as contained based instances. This is pretty straight forward actually.

 

However within the individual FTD itself, if I check IPS/Dectection Engine log/statistics, there is "instance-#" shown/referenced...Obviously these "instance-#" are different than the multi-instance feature above and I think Cisco calls these as native instances (I might be wrong)...

 

So my questions:

1. what are the native instances represent? instances of snort?

2. different platforms (ASA vs FTD) that run FTD image, has different number of the native instances, right? Any datasheet type of reference regards?

3. Do more native instances mean potential better performance?

 

Thanks,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to m1xed0s

‎05-12-2021 05:49 AM

The detail you are seeing is the number of Snort (IPS engine) instances running. That is completely separate from the"multi-instance" feature of running separate FTD instances in containers on a 4100 or 9300 series firewall. Those are known as container instances.

You can see the number of Snort instances at a given time with "show snort instances" from the cli.

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/s_8.html#wp1166799110

The varying hardware models support increasing numbers of Snort instances in a parallel processing scheme to increase throughput of the system.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-11-2021 12:54 PM - edited ‎05-11-2021 12:55 PM

FP 4K or 9K

 

The base is FXOS  - on top you have any instance example - ASA 1 instance and FTD another instance.

All shared with common infrastructure as a hardware, but different isolated instances (just like exsi - vm)

 

Depends on the requirement of deployment, big enterprise service providers, run one instance due to traffic requirement

it can be FTD or ASA depends on choice (most cased FTD since this is next Generation FW)

 

here is a good reference :

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/multi-instance/multi-instance_solution.html

 

Good Cisco live presentation also for reference :

 

https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3035.pdf

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to balaji.bandi

‎05-11-2021 01:08 PM

Thanks for the info. But that’s not what I am looking for…

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to m1xed0s

‎05-11-2021 01:42 PM 

Thanks for the info. But that’s not what I am looking for…

what did we miss here ? explain?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to balaji.bandi

‎05-11-2021 01:49 PM

As stated in the post, I want information on the native ”instance-#” as shown within the individual FTD itself, if I check IPS/Dectection Engine log/statistics.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to m1xed0s

‎05-12-2021 05:49 AM

The detail you are seeing is the number of Snort (IPS engine) instances running. That is completely separate from the"multi-instance" feature of running separate FTD instances in containers on a 4100 or 9300 series firewall. Those are known as container instances.

You can see the number of Snort instances at a given time with "show snort instances" from the cli.

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/s_8.html#wp1166799110

The varying hardware models support increasing numbers of Snort instances in a parallel processing scheme to increase throughput of the system.

0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to Marvin Rhoads

‎05-12-2021 06:09 AM

Thanks! So if these instance-# is only for snort,

  1. Is the instance-# corresponding to the CPU core, for example on a FTD2130 box?
  2. What about the Lina engine or prefilter? Does it get instance associated with CPU Cores as well? 
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to m1xed0s

‎05-12-2021 06:45 AM

I don't have the figures for a 2130 handy (except that it has only 8 CPU cores total), but if we look at Andrew Ossipov's BRKSEC-3035 Cisco Live presentation from Barcelona 2020, we can see a Firepower 4115 for example. It has 46 CPU cores: 16 for data plane (roughly maps to LINA functions including prefilter, NAT, routing, etc.), 28 for Snort and 2 for system (FXOS hardware management etc.).

0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to Marvin Rhoads

‎05-12-2021 06:56 AM

Okey, thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card