cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

18134
Views
15
Helpful
15
Replies
Highlighted
Beginner

Connection events and storage size

Hi,

We have configured 2 Firepower 8350 (v5.4.0.7) with the same health policy, system policy, etc. In one of these if we go to "Connections events" we can se the events recevided, but not in the another one (its empty)

On the another hand, we would like to increase the database size for logs in Virtual defense center, where can increase the events stored in firepower too?? /var/log is empty but it seems like FPower can assume more events.

Regards,

15 REPLIES 15
Highlighted
Hall of Fame Guru

soporteAC  ,

A virtual FMC is limited by design to 10 million events total. See Table 3 of the product data sheet for confirmation:

http://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html

That includes 2 million Connection Events and 1 million each of various other types of events as shown in your FMC under System > Configuration > Database. You can change the relative allocations and even go so far as to allocate all 10 milion records to connections events. But the overall database size is not configurable nor is the amount of disk allocated to the VM.

See the following section of the Configuration Guide for further guidance:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/system_configuration.html#concept_C94E9492C76E4CCC9100B3139C7CF771

Highlighted

Hi, thanks a lot for your response.

What impact would have to increase database connections events in FMC???? any recommended value???

going into firepower by ssh and running df -h we see a lot of free space in /var/log. So we have space to store more logs.

regards

Highlighted

The sum total of all event types cannot exceed the 10 million hard limit. It does not matter that there is storage - the database size is limited and Cisco has no current plans to change that limit on the VM platform.

They feel the negative impacts to the customer experience outweigh the benefits for those customers with smaller deployments (such as the virtual FMC is designed for) looking to scale up to mid-size. For larger databases they really strongly recommend buying a hardware-based FMC appliance.

You can reallocate within the categories so as to adjust their respective maxumium records according to your unique operational environemnt and needs - as long as the total is 10 million or less.

Highlighted

Hi,

Is it possible in database to delete Malware Event Database (currently configured 1million events)?, we havent malware connections enabled. And this million of event is added to "connection database"????

This would do that we have more size for our connections? 

thanks

Highlighted

Think of it as one big database with multiple tables. Total limit is 10 million records.

You can set the Malware Event Database records to zero and then allocate those 1 million records to the Connection Event Database.

Highlighted

Have the limits been increased  in the last 6 months?

I dont' recall 1 billion before for FMC 4000

connection events

Security Intelligence Events

10 million (Management Center Virtual)


50 million (MC750)


100 million (MC1500)


300 million (MC2000)

500 million (MC3500)


1 billion (MC4000)

Upper event limit is shared between connection events and Security Intelligence events; the sum of configured maximums for the two events cannot exceed the upper event limit.

Highlighted

The data sheet for FirePOWER Management Center is still listing 300 million for the FMC 4000 (and even the new FMC 4500).

See Table 3 here:

http://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html

Highlighted

Marvin, 

I found this document, who stats a 49 million events for FMC on virtual platform.

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Management_Center_System_Configuration.html#concept_C94E9492C76E4CCC9100B3139C7CF771

Connection events

Security Intelligence events

49 million (Management Center Virtual)


50 million (MC750)


100 million (MC1500)


300 million (MC2000)

500 million (MC3500)


1 billion (MC4000)

Limit is shared between connection events and Security Intelligence events. The sum of the configured maximums cannot exceed this limit.

Zero (disables storage)

I see on configuration guide for 5.4 version, the limit was 10 millions, but apper as 6.0 version Cisco have "upgraded" it to 49 million.

Currently we have a case on TAC to confirm this number.

Highlighted

I strongly suspect a documentation error there.

I specifically brought up this 10 million event limitation with several Cisco Technical Marketing Engineers (TMEs) at Cisco Live Melbourne this month and they all confirmed the 10 million events limit and stated there were no near term plans to change that.

I submitted a document feedback form to get confirmation. Please let us know what your TAC engineer says as well.

Highlighted

The actual database limit for the virtual FMC is 50 million events, combined for connection events and security intelligence events.  The default size for security intelligence is 1,000,000, which is why the documentation said 49,000,000.  However, if you were to reduce the number of SI events, you could add the same to connection events.  For example, you could have 500,000 SI events, and 49,500,000 connection events if you wanted.

Highlighted

Any help in trimming? 

 

Don't mean to hijack the thread, but we have been running several thousand users through a pair of ASA5555's and everything is zippy and working.. but reports are only showing about 12 hours in the past!

 

I contacted TAC and they immediately did what you guys are talking about.. upped the Connection Events table to 49,000,000. We got another couple of hours of reporting added to our 12 hours. 

 

Is it really ~$15,000 for a device that can give us a week's worth of URL filtering reports (IPS is licensed, but we have 6 rules in our Access Control Policy and not using IPS yet.. just a couple of different AD groups to filter URL's, nothing fancy)?

 

I only have logging on two of the rules in our ACP.. is there nothing I can do to trim that down?

 

Definitely a difficult product to wrap your head around, but once you get going, it seems to be working well.. but if I can't get more than ~16 hours of who went to what URL, this customer is going to have a fit that they have to buy another piece of equipment.

 

FMC is currently a KVM virtual (6.2.0.2)... Thanks for all of this info! I was reading 10 million as well.. and thinking that TAC was upping it to 49 million without really knowing what was going on ;-)

 

 

Highlighted

I am in the same exact position. We purchased a Virtual FMC which has three 5515-x ASA's feeding it and our total user count is roughly 5,000.

 

We currently cannot go back more then 3-4 hours of connection events. I opened a TAC case today and we played with all of the database settings, Cisco's answer was ultimately that we are putting to much traffic through it.

 

You are correct in that I am struggling to see the value in this.

 

On top of that, the SI feeds seems to be unreliable. We received malware alerts for users that were updating their endpoint protection from Sophos. The link was one of Sopho's well known update URI's.

 

We tried white listing our DNS traffic and another one of our application update server's to trim down some of the logging but they still show up everywhere. In reports, in connection events etc. 

Highlighted

It's a bit of a challenge to tune the logging on FMC.  Let me give you my thoughts on best practices.

 

First of all, take a look at what all you're logging.  Almost certainly, you're logging connections you don't need.  For all of the generic network traffic (NTP, DHCP, and such), you should probably turn OFF logging to FMC.  If you want to keep all of it, send those logs to SYSLOG instead of FMC.  These types of communications are very chatty, and it's unlikely you're getting valuable information from them, but they are filling up your available log space in the database.

 

Another thing to look at is WHEN you're logging.  Are you logging at both Beginning and End of connection?  On each line in your Access Control Policy, think about whether you need both.  If you can get by with logging only at the end of connection, you'll save a lot of space in the database.

 

If you have your SMTP inbound traffic going through the firewall -- especially if you have an email security appliance that it's destined to -- you likely don't need to log this traffic on the FMC.  You'll still get summary information, even if the individual logs are disabled.  Again, consider sending these logs only to your SYSLOG server (if you have one).

 

This process will be useful, as you look through your ACP.  In general, if you want the logs for historical reasons, send them to SYSLOG.  If they have a security reason, then keep them on the FMC.

 

I hope this helps.

 

Gary

Highlighted

Thanks, those are some good suggestions and I am working towards trimming down as much as possible.
Content for Community-Ad