FMC is in North America. (Eventually, could be a pair of FMC in HA, but for time being is a standalone FMC).
5515-X-SFR are located all around the world.
1. What happens if SFR lose connectivity with FMC? My understanding is:
a. SFR will continue analysing traffic using the config it had just prior to losing connection with FMC
b. SFR will log events locally, and pass those logs to FMC once connectivity is re-established
c. since SHA-256 cloud-query can't be sent to FMC for lookup, SFR will let the file go through (default 2-second timeout for release).
2. If SFR still can't communication with FMC, at what point would SFR start purging the event data it's caching? Will it start purging once it reaches a percentage SSD usage? Or will it start purging after X hours? If it's purging, I presume it's FIFO? or is it based of least severity level of events? I don't think it would purge by least-severity level since SFR doesn't know which event is significant or not: I think that only FMC is be able to adjust the impact level, since only FMC knows the context, from info it has gathered via Network Discovery.
3. Once FMC and SFR connectivity is re-established, will SFR start pushing all the log events it has cached while the connectivity was down? I would think it is necessary to do so, in order to FMC to be able to eventually do proper retrospective analysis.
4. Once the connectivity is re-established and SFR is sending its cached events to FMC, will FMC then go query the cloud with the SHA-256 of those files that SFR had to let go through since it couldn't ask FMC about their malware disposition while their connectivity was broken?
5. Is there a way to have the SFR query directly the cloud should it lose it's connectivity with FMC?
Cisco is happy to announce their Fall release, FTD 6.7/ASA 9.15.1/FXOS 2.9, which consists of 104 features across 24 initiatives, addressing technical debt while staying true to our five core investment areas: Ease of Use and Deployment, Unified Policy an...
Hi Team, I have one exclusion provided by internal team which is Is it right way to exclude ? *\Program Files\XYZ\* , as per Cisco Docs i see its not recommended because it will create performance issue when we use * at starting , So...
Central Log Management using Cisco Security Analytics and Logging, December 2nd at 8am-9:30am PT
Cisco Security Analytics and Logging is Cisco’s Central Log Management solution for Network Operations and Security Outcomes. It is delivered both as a c...