Hi, thanks a lot for your response.

What impact would have to increase database connections events in FMC???? any recommended value???

going into firepower by ssh and running df -h we see a lot of free space in /var/log. So we have space to store more logs.

regards

The sum total of all event types cannot exceed the 10 million hard limit. It does not matter that there is storage - the database size is limited and Cisco has no current plans to change that limit on the VM platform.

They feel the negative impacts to the customer experience outweigh the benefits for those customers with smaller deployments (such as the virtual FMC is designed for) looking to scale up to mid-size. For larger databases they really strongly recommend buying a hardware-based FMC appliance.

You can reallocate within the categories so as to adjust their respective maxumium records according to your unique operational environemnt and needs - as long as the total is 10 million or less.

Hi,

Is it possible in database to delete Malware Event Database (currently configured 1million events)?, we havent malware connections enabled. And this million of event is added to "connection database"????

This would do that we have more size for our connections? 

thanks

Think of it as one big database with multiple tables. Total limit is 10 million records.

You can set the Malware Event Database records to zero and then allocate those 1 million records to the Connection Event Database.

Have the limits been increased  in the last 6 months?

I dont' recall 1 billion before for FMC 4000

The data sheet for FirePOWER Management Center is still listing 300 million for the FMC 4000 (and even the new FMC 4500).

See Table 3 here:

http://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html

@Wonxie 

Note the FMCv300 with a capacity of 60 million events was since released.

See Table 3 here: https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html#Platformspecifications

Marvin, 

I found this document, who stats a 49 million events for FMC on virtual platform.

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Management_Center_System_Configuration.html#concept_C94E9492C76E4CCC9100B3139C7CF771

I see on configuration guide for 5.4 version, the limit was 10 millions, but apper as 6.0 version Cisco have "upgraded" it to 49 million.

Currently we have a case on TAC to confirm this number.

I strongly suspect a documentation error there.

I specifically brought up this 10 million event limitation with several Cisco Technical Marketing Engineers (TMEs) at Cisco Live Melbourne this month and they all confirmed the 10 million events limit and stated there were no near term plans to change that.

I submitted a document feedback form to get confirmation. Please let us know what your TAC engineer says as well.

The actual database limit for the virtual FMC is 50 million events, combined for connection events and security intelligence events.  The default size for security intelligence is 1,000,000, which is why the documentation said 49,000,000.  However, if you were to reduce the number of SI events, you could add the same to connection events.  For example, you could have 500,000 SI events, and 49,500,000 connection events if you wanted.

Any help in trimming? 

Don't mean to hijack the thread, but we have been running several thousand users through a pair of ASA5555's and everything is zippy and working.. but reports are only showing about 12 hours in the past!

I contacted TAC and they immediately did what you guys are talking about.. upped the Connection Events table to 49,000,000. We got another couple of hours of reporting added to our 12 hours. 

Is it really ~$15,000 for a device that can give us a week's worth of URL filtering reports (IPS is licensed, but we have 6 rules in our Access Control Policy and not using IPS yet.. just a couple of different AD groups to filter URL's, nothing fancy)?

I only have logging on two of the rules in our ACP.. is there nothing I can do to trim that down?

Definitely a difficult product to wrap your head around, but once you get going, it seems to be working well.. but if I can't get more than ~16 hours of who went to what URL, this customer is going to have a fit that they have to buy another piece of equipment.

FMC is currently a KVM virtual (6.2.0.2)... Thanks for all of this info! I was reading 10 million as well.. and thinking that TAC was upping it to 49 million without really knowing what was going on ;-)

I am in the same exact position. We purchased a Virtual FMC which has three 5515-x ASA's feeding it and our total user count is roughly 5,000.

We currently cannot go back more then 3-4 hours of connection events. I opened a TAC case today and we played with all of the database settings, Cisco's answer was ultimately that we are putting to much traffic through it.

You are correct in that I am struggling to see the value in this.

On top of that, the SI feeds seems to be unreliable. We received malware alerts for users that were updating their endpoint protection from Sophos. The link was one of Sopho's well known update URI's.

We tried white listing our DNS traffic and another one of our application update server's to trim down some of the logging but they still show up everywhere. In reports, in connection events etc. 

It's a bit of a challenge to tune the logging on FMC.  Let me give you my thoughts on best practices.

First of all, take a look at what all you're logging.  Almost certainly, you're logging connections you don't need.  For all of the generic network traffic (NTP, DHCP, and such), you should probably turn OFF logging to FMC.  If you want to keep all of it, send those logs to SYSLOG instead of FMC.  These types of communications are very chatty, and it's unlikely you're getting valuable information from them, but they are filling up your available log space in the database.

Another thing to look at is WHEN you're logging.  Are you logging at both Beginning and End of connection?  On each line in your Access Control Policy, think about whether you need both.  If you can get by with logging only at the end of connection, you'll save a lot of space in the database.

If you have your SMTP inbound traffic going through the firewall -- especially if you have an email security appliance that it's destined to -- you likely don't need to log this traffic on the FMC.  You'll still get summary information, even if the individual logs are disabled.  Again, consider sending these logs only to your SYSLOG server (if you have one).

This process will be useful, as you look through your ACP.  In general, if you want the logs for historical reasons, send them to SYSLOG.  If they have a security reason, then keep them on the FMC.

I hope this helps.

Gary