cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3518
Views
5
Helpful
13
Replies

Ask the Expert: Performance Troubleshooting on Cisco FirePOWER

Monica Lluis
Level 9
Level 9
 
Join the Discussion : Cisco Ask the Expert

Safeguarding your network assets and data from today’s threats isn’t easy. You need detailed visibility into all your network layers and resources. With the Cisco Firepower solutions, that’s what you get. This visibility provides the contextual awareness you need to properly evaluate the users, hosts, and applications running in your network, detect multi-vendor threats, and mount an automated defense response.  Plus, the Firepower solution not only protects your network against known and unknown threats before at attack - but does so during and after an attack as well. In independent tests at NSS Labs, among the world’s leading information security research and advisory companies, the Firepower solution was rated 99.4 percent effective in stopping threats and a perfect 100 percent effective in not allowing evasion techniques to succeed. This session will provide an opportunity to learn and ask questions about overview of Firepower solution, use-case scenarios and insights on basic troubleshooting and best practices recommended by engineering.

Ask questions from Wednesday April 27 to May 6, 2016

Featured Experts

Aastha Bhardwaj has been a Customer Support Engineer in the Technical assistance Center Firepower team at Cisco Systems since May 2012. Aastha has 7 years of overall experience in security. She works with engineering and customers to resolve complex issues and creates documents and trainings to help customers use the product more fluidly. She is an expert in security technologies and products such as ASA, IPS, CX, FWSM, and Firepower. Aastha holds a CCIE Certification in Security (#46900), as well as Sourcefire Certified Expert (SFCE#126176). She graduated with a Bachelors’ Degree in Information Technology from Graphic Era Institute of Technology at Dehradun India. She also loves cooking and enjoys traveling the world.

John Bennion has been a Customer Support Engineer in the Technical Assistance Center Firepower team in RTP since 2013. He has expertise in Cisco Firepower. John holds the CCNA and CCNP certifications in Routing as Switching and has obtained a Bachelors’ Degree in Computer Information Systems with minors in business and mathematics from the University of Colorado at Pueblo, CO.

  

Find other  https://supportforums.cisco.com/expert-corner/events.

** Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

https://supportforums.cisco.com/expert-corner/events ">https://supportforums.cisco.com/expert-corner/events.

We look forward to your participation. This event is open to all, including partners. Please Share this event in your social channels. Have a technical question? Get answers here before opening a TAC case by visiting the Cisco Support Community.

     

Join the Discussion : Cisco Ask the Expert 

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
13 Replies 13

Hey Philip,

You can register on link  : https://supportforums.cisco.com/event/12952026/webcast-performance-troubleshooting-cisco-firepower

Regards,

Aastha Bhardwaj

Hello Philip,

Thank you for your interest. This event will open on April 27th, after the live webcast. We invite you to attend the webcast. You can register here.

Kind Regards,

Monica

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Sarah Staker
Level 1
Level 1

Hello Aastha and John,

I have a question. 4. Would you recommend enabling SSL decryption as a way to inspect encrypted traffic?

The answer is yes. SSL decryption is a very good way to inspect encrypted traffic. just remember that SSL decryption is very resource intensive. we have to decrypt the traffic then pass it through inspection and after we are done we encrypt it again.

if you plan on using SSL decryption please make sure your device has been spect for it so you are sure it can handle SSL decryption with the amount of traffic you are passing.

Hi Jonh,

Is there any official documentation regarding recommended amount of SSL traffic that can be processed by different models of Cisco ASAs. I ask you about it because datasheets with perfomance values was published before SSL decryption feature on these platforms and as i understand it won't be correctly to consider that values if we plan to use SSL decryption. 

How we can determine the amount of SSL traffic that can be proccessed by Firepower modules?

Oleg,

we do not currently have any official documentation. from what i understand it is currently in the works.

my recommendation would be to get with a Cisco sales rep and have them analyze your environment so that can provide you with a list of options that would best fit your needs

With SSL decryption are you recommending outbound initiated SSL decryption as well? 

If you need to inspect all traffic through your network than yes i would recommend it. SSL decryption is the only way to inspect HTTPS or other encrypted traffic. there are things we can do without decrypting the traffic but there is a chance that an attack will come though on a session that was initiated internally.

some of the best ways to protect against this without using SSL decryption would be through security intelligence and URL/application filtering. you can use these tools to filter out known vulnerable sites.

evan.chadwick1
Level 1
Level 1

I have a question in regards to Host limits of the FMC. We have 50 000 host limit.

When configuring Network Discovery. Is it this component that starts to consume the 50 000 limit? Or will internal hosts being processed through snort rules also start to use up the limited number?

How much time of inactivity from a host until the number is put back into the pool?

Thanks

Hello,

The 50,000 limit refers to the network discovery host limit. as soon as you reach the 50,000 limit, the system will start to prune old entries off to make room for new entries. entries will be removed if they haven't been updated in a week.

my recommendation would be to limit the ip range you are looking at in network discovery so you are only discovering the ip ranges that are most relevant to you.

also remember that if you do reach this limit there will be no impact to network performance.

evan.chadwick1
Level 1
Level 1

Hi Team,

Been using the Virtual FMC with asa/sfr deployed at sites. Great product. Just spun up one at home the 5506x inbuilt sfr. I don't see network discovery. 

Can you explain the difference in regards to the information I will be able to populate when driving sfr via asdm. 

Thanks

Hi Evan,

Managing the device via Defense center gives you more visibility in terms on Monitoring and reporting unlike on ASDM . Network discovery is not teher on ASDM its Defense center feature.

Refer article for reporting on ASDM: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Reporting.html

Review Cisco Networking for a $25 gift card