Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1812
Views
10
Helpful
3
Replies

Cisco Firepower Management Center event local storage limit

M.Jallad
Level 1
Level 1

‎03-12-2017 04:05 PM - edited ‎03-10-2019 06:47 AM

Dears,

We have recently deployed an FMC with Sensors with multiple inline sets and alot of traffic passing through all the zones ; we have an issue leaving tracking historical events for example for connections. We used the below document and tuned the access policies to only log beginning or end of connections for some rules. However , we didn't change connections events limits because we afraid that this might affect the sensor or FMC resources. 

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118012-troubleshoot-firesight-00.html

Is there any recommendations or best practices to decide how to set events limits or could we go ahead and raise the limit to maximum for example and guarantee that resources would not be affected.

Just adding a little piece of information ; after monitoring ,we have observed that we have an average of 300,000 connections events per hour and the default connection events limit is 1,000,000 which means we currently have a history of almost only 3 hours and a half. 

Thanks for your assistance,

Muayad Jallad,

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-13-2017 02:20 AM

There have been several threads answering this question recently. Here is a recent one:

https://supportforums.cisco.com/discussion/13239291/connection-events-and-storage-size

Bottom line is that the virtual FMC is limited to a total database size of 10 million records.

Some feel that limit is artificial and that customers should be able to allocate more VM resources to make the limit much higher. However, Cisco does not currently allow that by design.

I gave the feedback to three different Cisco engineers at Cisco Live Melbourne last week and did not feel they were sympathetic to the input. 

M.Jallad
Level 1
Level 1
In response to Marvin Rhoads

‎03-13-2017 03:52 AM

Hi Marvin,

We have FMC 2000 Appliance and for that i believe the limits are as mentioned in the below document 300 M distributed among several databases :

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/System-Policy.html#pgfId-8018593

However, can i use the maximum limit without risking over-utilization of FMC resources !

Muayad,

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to M.Jallad

‎03-13-2017 11:54 AM

To be honest I wouldnt do that. I have tried a limit of 100M on FMC 4000 and it has become quite slow. I think this is due to the fact that connection events are stored into mysql and each query will only use one cpu core by design. I am not a big fan of storing a large set of events in a relational database but thats how FMC does it.

Hope that helps. :)

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card