05-11-2021 12:45 PM
First, I would like to say I hate the same word been re-used to represent different thing/features within the same product line...
I understand there is the multi-instance feature provided by 4k/9k FTDs which I belive is considered as contained based instances. This is pretty straight forward actually.
However within the individual FTD itself, if I check IPS/Dectection Engine log/statistics, there is "instance-#" shown/referenced...Obviously these "instance-#" are different than the multi-instance feature above and I think Cisco calls these as native instances (I might be wrong)...
So my questions:
1. what are the native instances represent? instances of snort?
2. different platforms (ASA vs FTD) that run FTD image, has different number of the native instances, right? Any datasheet type of reference regards?
3. Do more native instances mean potential better performance?
Thanks,
Solved! Go to Solution.
05-12-2021 05:49 AM
The detail you are seeing is the number of Snort (IPS engine) instances running. That is completely separate from the"multi-instance" feature of running separate FTD instances in containers on a 4100 or 9300 series firewall. Those are known as container instances.
You can see the number of Snort instances at a given time with "show snort instances" from the cli.
The varying hardware models support increasing numbers of Snort instances in a parallel processing scheme to increase throughput of the system.
05-11-2021 12:54 PM - edited 05-11-2021 12:55 PM
FP 4K or 9K
The base is FXOS - on top you have any instance example - ASA 1 instance and FTD another instance.
All shared with common infrastructure as a hardware, but different isolated instances (just like exsi - vm)
Depends on the requirement of deployment, big enterprise service providers, run one instance due to traffic requirement
it can be FTD or ASA depends on choice (most cased FTD since this is next Generation FW)
here is a good reference :
Good Cisco live presentation also for reference :
https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3035.pdf
05-11-2021 01:08 PM
Thanks for the info. But that’s not what I am looking for…
05-11-2021 01:42 PM
Thanks for the info. But that’s not what I am looking for…
what did we miss here ? explain?
05-11-2021 01:49 PM
As stated in the post, I want information on the native ”instance-#” as shown within the individual FTD itself, if I check IPS/Dectection Engine log/statistics.
05-12-2021 05:49 AM
The detail you are seeing is the number of Snort (IPS engine) instances running. That is completely separate from the"multi-instance" feature of running separate FTD instances in containers on a 4100 or 9300 series firewall. Those are known as container instances.
You can see the number of Snort instances at a given time with "show snort instances" from the cli.
The varying hardware models support increasing numbers of Snort instances in a parallel processing scheme to increase throughput of the system.
05-12-2021 06:09 AM
Thanks! So if these instance-# is only for snort,
05-12-2021 06:45 AM
I don't have the figures for a 2130 handy (except that it has only 8 CPU cores total), but if we look at Andrew Ossipov's BRKSEC-3035 Cisco Live presentation from Barcelona 2020, we can see a Firepower 4115 for example. It has 46 CPU cores: 16 for data plane (roughly maps to LINA functions including prefilter, NAT, routing, etc.), 28 for Snort and 2 for system (FXOS hardware management etc.).
05-12-2021 06:56 AM
Okey, thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide