12-19-2017 02:09 AM - edited 02-21-2020 06:58 AM
I would like to deploy a FMC at HQ site, and with firepower sensor(firepower appliance, asa with firepower service, ftd) deploy at remote site, is there some prerequisite to meet this deployment requirement ? such as:
1.HQ site and remote site minimum bandwidth
2.HQ site and remote site minimum RTT, delay, and jitter
3.need QoS policy to guarantee the FMC and sensor traffic ?
Thanks!
Solved! Go to Solution.
12-19-2017 03:35 AM
1. 256 kbps for policy push.
2. I wasn't able to find a guideline. It shouldn't be that important, as long as the values are reasonable for tcp traffic.
3. Yes, if you want to be able to push the polices in a timely fashion, the other necessary downloads can be scheduled.
12-19-2017 06:54 AM
Bandwidth up from sensor to the managing FMC can vary greatly. Event reporting will consume, on average, 700 bytes/event. So that's 5600 bits x your anticipated number of events per second (EPS).
Since the EPS rate can vary by orders of magnitude among customers (and even across sensor deployment at a given customer), you need to do the math on that bit yourself.
12-19-2017 03:35 AM
1. 256 kbps for policy push.
2. I wasn't able to find a guideline. It shouldn't be that important, as long as the values are reasonable for tcp traffic.
3. Yes, if you want to be able to push the polices in a timely fashion, the other necessary downloads can be scheduled.
12-19-2017 05:47 AM
12-19-2017 06:54 AM
Bandwidth up from sensor to the managing FMC can vary greatly. Event reporting will consume, on average, 700 bytes/event. So that's 5600 bits x your anticipated number of events per second (EPS).
Since the EPS rate can vary by orders of magnitude among customers (and even across sensor deployment at a given customer), you need to do the math on that bit yourself.
12-21-2017 01:25 AM
03-23-2018 11:41 PM
Firepower Appliance and ASA+Firepower can both be deployed at remote sites. FTD wasn't designed to do that very well, so you'll need to either have a separate management connection (like an extra DSL or 3G/4G wireless connection) or an alternate router or firewall that can do NAT in parallel to your ASA, because otherwise you need the connection from the FTD management port to the FMC to set up NAT, but you can't use that until the NAT is set up. (That's not a problem for the ASA+FP configuration, because you can use the ASA CLI to set up NAT, so any connection to the console or the outside port can be used to reach that.)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide