FMC is in North America. (Eventually, could be a pair of FMC in HA, but for time being is a standalone FMC).
5515-X-SFR are located all around the world.
1. What happens if SFR lose connectivity with FMC? My understanding is:
a. SFR will continue analysing traffic using the config it had just prior to losing connection with FMC
b. SFR will log events locally, and pass those logs to FMC once connectivity is re-established
c. since SHA-256 cloud-query can't be sent to FMC for lookup, SFR will let the file go through (default 2-second timeout for release).
2. If SFR still can't communication with FMC, at what point would SFR start purging the event data it's caching? Will it start purging once it reaches a percentage SSD usage? Or will it start purging after X hours? If it's purging, I presume it's FIFO? or is it based of least severity level of events? I don't think it would purge by least-severity level since SFR doesn't know which event is significant or not: I think that only FMC is be able to adjust the impact level, since only FMC knows the context, from info it has gathered via Network Discovery.
3. Once FMC and SFR connectivity is re-established, will SFR start pushing all the log events it has cached while the connectivity was down? I would think it is necessary to do so, in order to FMC to be able to eventually do proper retrospective analysis.
4. Once the connectivity is re-established and SFR is sending its cached events to FMC, will FMC then go query the cloud with the SHA-256 of those files that SFR had to let go through since it couldn't ask FMC about their malware disposition while their connectivity was broken?
5. Is there a way to have the SFR query directly the cloud should it lose it's connectivity with FMC?
Thanks for helping us better prepare for BC.
You are right with point 1
For point 2 SFR will start purging events based its SSD usage and that will be based on FIFO.
For point 3, yes SFR will start pushing all the events to FMC once connectivity is back.
You are right for point 4 as well where SFR will send all the info, including file events to FMC and it can do analysis and show retrospective events.
As of now SFR does not send the query directly to cloud and needs FMC.
Rate if helps.