cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1662
Views
0
Helpful
2
Replies

FTD as IPS

fatalXerror
Level 5
Level 5

Hi, I am having an issue about Elephant flow in my FTD and as per the TAC we need to do flow profiling to pinpoint which traffic is causing it however, it is not an option in my environment because this will have an interruption.

We think of an option to connect another IPS (same model) that will act like a tap. The prod IPS will send a copy of the packet to the other IPS acting as tap then we do the flow profiling there in the tapped IPS?

I would like to know if that is feasible and what configuration should we do for the tapped IPS?

2 Replies 2

gbekmezi-DD
Level 5
Level 5
Do you think adding another appliance in line would be less intrusive than one of these options?


* use netflow do try to identify large flows: https://community.cisco.com/t5/security-documents/configuring-nsel-netflow-on-cisco-firepower-threat-defense-ftd/ta-p/3646300
* use packet captures on the FTD appliance itself: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html
* SPAN/Mirror/Monitor traffic from the switch the FTD appliance is connected to

@gbekmezi-DD, but we want to pinpoint the actual traffic causing the issue and as per TAC we can only determine that when we do flow profiling but it is not an option in our environment that is why if we can put our spare IPS into passive mode then do flow profiling there if it is possible?

You said netflow, we have a netflow collector deployed in the network. is it possible to use that? What parameters should we look in the netflow data for us to find the elephant flow?

thanks

 

 

 

Review Cisco Networking for a $25 gift card