Re: Firepower deployments really slow - Page 3

ncowger · ‎08-14-2017

I have new pair of NGFW 2110's. I have a virtual FPMC. This is a new build with relatively few rules (10) and NAT statements (14). If I make a simple change to the policy and deploy it, it seems to take a really long time. I'm regularly seeing 7+ minutes. Is this normal? Why?

Marvin Rhoads · ‎03-15-2019

Firepower 6.3 has improved deployments (~50% or more in my observation). It's still not instantaneous by any means but it's improving.

Keep providing the feedback to your Cisco account team or partners - that keeps it front of mind for them and guides development to make continued improvement a priority. I was at Cisco Live Europe in January and I complained about it to the presenter at every Firepower session I attended as well as to the Cisco Security staff in the World of Solutions.

robinson · ‎05-23-2019

I'm noticing a trend. Everyone here is complaining about slowness on FTD when deploying to 2110's. Maybe the issue is just like Marvin said, not on the FMC, but the architecture of the 2110. Is slowness experienced on other platforms using the FMC?

The secret to succeeding at technology is to say yes you can, and to not be afraid of change. Forget the words, "That's how we always do it"

shaun.stull1 · ‎05-24-2019

I saw the other day that version 6.4 has released and has in the release notes "improved deployment times". Same thing I've seen in the notes in the past and don't really have my hopes up. I haven't tried it myself though, and in fact have taken our 2110s out of production and replaced them with ASA 5525s running firepower modules. I can deploy to those in roughly 90 seconds vs the 7 to 10 minutes it takes with the 2110s.

gln · ‎09-04-2019

We are now in 9/2019 and our ASA 5508 X with FTD 6.4.0-102 needs more than four minutes to deploy a singe access control or nat rule. Actually there are three nat rules and four access rules and some objects (< 30). Really I have to move from a ASA 5510 with standard Cisco OS it is very time consuming

I am looking forward into the future :-)

cciesec2011 · ‎09-04-2019

@gln wrote:
We are now in 9/2019 and our ASA 5508 X with FTD 6.4.0-102 needs more than four minutes to deploy a singe access control or nat rule. Actually there are three nat rules and four access rules and some objects (< 30). Really I have to move from a ASA 5510 with standard Cisco OS it is very time consuming
I am looking forward into the future :-)

I am in the same boat. I am running FMC 6.2.3.14 on virtual with 64GB RAM and 8 CPU on a single dedicated ESXi and FTD 6.2.3.10 on ASA-5555-x platform and it takes like 6 minutes just to deploy the policy. It is freaking almost 2020 and policy deployment should not take that long. We will be migrating this firewall from FTD over to Palo Alto firewall. We did the side to side test using the same policy and Palo Alto push from Panorama to the PA-5050 takes less than 38 seconds.

Very disappointing with Cisco FMC and FTD platforms.

voipleo · ‎10-28-2019

Well, our takes 10-11 min.

Relatively fresh system: 35 access rules, 15 nat rules, 130 network objects, 20 url objects.

2x2110, 1xFMCv 6.5 - 32GB, 6 cores Xeon, fast 3PAR SAN. This is definitely not a resources issue.

I think this is because of mysql inside. You might argue but I've never seen mysql working fast in real world. Look at MediaSense, a simple software for call recording. It takes a lot of resources but works really slow. Same DB under the hood.

bmurphree@myemma.com · ‎01-06-2020

I've performed many tests on ASA's repurposed as FTD, and new FirePower devices. I wholeheartedly agree, the deployment process of FTD through FDM (or even FMCv) is embarrassingly slow (and way more painful to wait for failure, if you know the deployment will fail--like 15 minutes on a 1010!). It's worse than using Ansible on a network. I realize FTD is really CiscoLinux, and I feel very poorly engineered using open-source code, such as Charon (VPN), which is painful to work with on its own. But in my honest opinion, I'd much rather continue struggling with old Java code using ASDM on an ASA than continue working with the slowest GUI-based deployments in the industry. I'm sorry, but FDM/FMC have some serious maturing needs.

RFC 1925

alexander-makarov · ‎09-10-2020

I have latest version of FTD - Release 6.4.0.9. (2x2110, 1xFMCv)

I didn't notice some change of deployment's speed. 15 policies takes 7-8 minutes.
Very disappointing about this situation

Marvin Rhoads · ‎09-11-2020

The latest release is currently 6.6.1. You will find that 6.5 and 6.6 both offer improvements in deployment speed over 6.4.x. 6.7 improves even more.

6.6 also introduced an entirely new underlying database on FMC - monetDB. It makes resource-intensive tasks on the GUI much quicker.

bmurphree@myemma.com · ‎11-19-2020

Thanks! I've abandoned FMC. We hated it. It was hardly ever used and required too much by way of connectivity requirements.

RFC 1925