Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
8
Helpful
8
Replies

Elephant flow remediation options for FTD 2110

Go to solution
Wonxie
Level 1
Level 1

‎04-07-2024 02:27 PM - edited ‎04-07-2024 02:31 PM

Hi

I had configured elephant flow detection but on remediation actions it says below in tooltip. So does it means that FTD2110 model wont support automatically do remediation of elephant flows ?

Also if there is an elephant flow detected and that snort process chokes 100% of one CPU core how it will deal with that particular flow and any subsequent traffic that needs to be analyzed by IPS engine ?

If yes what are alternative actions that will kick in automatically  without involving administrator ? As I have noticed that when an elephant flow occurs it affects communication.

Wonxie_0-1712525129027.png

Regards

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight
In response to Wonxie

‎04-08-2024 07:11 AM

For some stupid reason this feature is not currently supported on 2100:

CSCwh17142 ENH: Elephant flow remediation needs a software fix for 2100 platform

If you're using Snort3 the only option is to create pre-filter rules for offending flows. In Snort2 there is a Intelligent Application Bypass feature. It should be supported on 2100, but Snort2 will be deprecated sooner or later.

 

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP
In response to Wonxie

‎04-15-2024 12:59 AM

By the way

You can use ACP as I mention above which is suggested from cisco for this case' trust' and keep in mind that trust is not totally bypass snort like prefilter' the traffic still inspect by snort but not like analysis action traffic.

MHM

View solution in original post

8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎04-07-2024 02:59 PM

Identify and Trust Large Flows

Large flows are often related to high use low inspection value traffic for example, backups, database replication, etc. Many of these applications can not be benefited from inspection. In order to avoid issues with large flows, you can identify the large flows and create Access Control trust rules for them. These rules are able to uniquely identify large flows, allow those flows to pass uninspected, and not to be limited by the single snort instance behavior.

Note: In order to identify large flows for trust rules, contact the Cisco Firepower TAC.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html

MHM

0 Helpful

Go to solution
Wonxie
Level 1
Level 1
In response to MHM Cisco World

‎04-07-2024 03:42 PM

@MHM Cisco World Thanks for the quick reply.

I have no issue in finding large or elephant flows. And also i can and i do create a prefilter policy when needed. 

I am concerned with Elephant flow remediation. 

I have checked above document and it refrences older FMC/FTD versions newer versions use elephant flows.

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to Wonxie

‎04-08-2024 07:11 AM

For some stupid reason this feature is not currently supported on 2100:

CSCwh17142 ENH: Elephant flow remediation needs a software fix for 2100 platform

If you're using Snort3 the only option is to create pre-filter rules for offending flows. In Snort2 there is a Intelligent Application Bypass feature. It should be supported on 2100, but Snort2 will be deprecated sooner or later.

 

Go to solution
Wonxie
Level 1
Level 1
In response to tvotna

‎04-15-2024 12:43 AM - edited ‎04-15-2024 12:47 AM

@tvotna Yes I am using prefilter policy but its not the right choice to exempt that communication entirely from snort3. so don't know why cisco didn't enabled this feature for snort3 on this version.

I have using IAB on snort2 earlier before migrating to snort3. 

Go to solution
tvotna
Spotlight
Spotlight
In response to Wonxie

‎04-15-2024 12:49 AM

I'm not even sure if TAC has an idea why this feature was not implemented on 2100, but they can open escalation ticket and ask escalation team which in turn will engage development.The answer will be "legacy platform and this enhancement is not on our radar".

 

Go to solution
MHM Cisco World
VIP
VIP
In response to Wonxie

‎04-15-2024 12:50 AM

Open TAC and check if new update of fpr can solve this issue.

Update me if you get reply from Cisco 

Thanks in advance 

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Wonxie

‎04-15-2024 12:59 AM

By the way

You can use ACP as I mention above which is suggested from cisco for this case' trust' and keep in mind that trust is not totally bypass snort like prefilter' the traffic still inspect by snort but not like analysis action traffic.

MHM

Go to solution
Marius Gunnerud
VIP
VIP

‎04-15-2024 12:52 AM

On the FTD2100 series FTDs Elephant flow detection is possible but remediation is not.

https://secure.cisco.com/secure-firewall/docs/elephant-flow-throttling

 

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card