cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
387
Views
8
Helpful
8
Replies

Elephant flow remediation options for FTD 2110

Wonxie
Level 1
Level 1

Hi

I had configured elephant flow detection but on remediation actions it says below in tooltip. So does it means that FTD2110 model wont support automatically do remediation of elephant flows ?

Also if there is an elephant flow detected and that snort process chokes 100% of one CPU core how it will deal with that particular flow and any subsequent traffic that needs to be analyzed by IPS engine ?

If yes what are alternative actions that will kick in automatically  without involving administrator ? As I have noticed that when an elephant flow occurs it affects communication.

Wonxie_0-1712525129027.png

Regards

 

2 Accepted Solutions

Accepted Solutions

For some stupid reason this feature is not currently supported on 2100:

CSCwh17142 ENH: Elephant flow remediation needs a software fix for 2100 platform

If you're using Snort3 the only option is to create pre-filter rules for offending flows. In Snort2 there is a Intelligent Application Bypass feature. It should be supported on 2100, but Snort2 will be deprecated sooner or later.

 

View solution in original post

By the way

You can use ACP as I mention above which is suggested from cisco for this case' trust' and keep in mind that trust is not totally bypass snort like prefilter' the traffic still inspect by snort but not like analysis action traffic.

MHM

View solution in original post

8 Replies 8

Identify and Trust Large Flows

Large flows are often related to high use low inspection value traffic for example, backups, database replication, etc. Many of these applications can not be benefited from inspection. In order to avoid issues with large flows, you can identify the large flows and create Access Control trust rules for them. These rules are able to uniquely identify large flows, allow those flows to pass uninspected, and not to be limited by the single snort instance behavior.

Note: In order to identify large flows for trust rules, contact the Cisco Firepower TAC.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html

MHM

@MHM Cisco World Thanks for the quick reply.

I have no issue in finding large or elephant flows. And also i can and i do create a prefilter policy when needed. 

I am concerned with Elephant flow remediation. 

I have checked above document and it refrences older FMC/FTD versions newer versions use elephant flows.

For some stupid reason this feature is not currently supported on 2100:

CSCwh17142 ENH: Elephant flow remediation needs a software fix for 2100 platform

If you're using Snort3 the only option is to create pre-filter rules for offending flows. In Snort2 there is a Intelligent Application Bypass feature. It should be supported on 2100, but Snort2 will be deprecated sooner or later.

 

@tvotna Yes I am using prefilter policy but its not the right choice to exempt that communication entirely from snort3. so don't know why cisco didn't enabled this feature for snort3 on this version.

I have using IAB on snort2 earlier before migrating to snort3. 

I'm not even sure if TAC has an idea why this feature was not implemented on 2100, but they can open escalation ticket and ask escalation team which in turn will engage development.The answer will be "legacy platform and this enhancement is not on our radar".

 

Open TAC and check if new update of fpr can solve this issue.

Update me if you get reply from Cisco 

Thanks in advance 

MHM

By the way

You can use ACP as I mention above which is suggested from cisco for this case' trust' and keep in mind that trust is not totally bypass snort like prefilter' the traffic still inspect by snort but not like analysis action traffic.

MHM

On the FTD2100 series FTDs Elephant flow detection is possible but remediation is not.

https://secure.cisco.com/secure-firewall/docs/elephant-flow-throttling

 

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card