cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4161
Views
15
Helpful
8
Replies

Increase Database Limits (Virtual FMC)

Will
Level 1
Level 1

I am aware of the 10m cap on Virtual FMC database.  I have seen options for external database connections.  Am I misunderstanding this or is it possible to create some sort of SQL database on a server and give FMC access to utilize that database thus increasing the max events? 

The reason I am asking is I have a customer that needs to be able to pull data from months ago to see trends in user behavior if an audit becomes necessary.  As it is now, we're lucky to get 3 days of history before the database begins overwriting its "tail".  

If anyone has done this and has some experience or wisdom to share please help me out!  

Thank you in advance.

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

As far of the database that is exposed via the FMC tools, you can only use the built-in one with its 10M event limit (all event types). the best you can do using that is to change the allocation among the various categories to, say, favor connection or intrusion events in the allocation.

To go beyond that (without going to one of the hardware appliances)) you can log (connections etc.) to an external syslog server like Splunk, ELK stack, etc.

I have asked on behalf of other custoemrs if this is going to change going forward but have yet to receive an answer from Cisco. It seems like we should be able to give the FMCv more resources and let it have at it. Right now you can only increase the allocated CPU and memory - not disk - for the VM.

View solution in original post

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

As far of the database that is exposed via the FMC tools, you can only use the built-in one with its 10M event limit (all event types). the best you can do using that is to change the allocation among the various categories to, say, favor connection or intrusion events in the allocation.

To go beyond that (without going to one of the hardware appliances)) you can log (connections etc.) to an external syslog server like Splunk, ELK stack, etc.

I have asked on behalf of other custoemrs if this is going to change going forward but have yet to receive an answer from Cisco. It seems like we should be able to give the FMCv more resources and let it have at it. Right now you can only increase the allocated CPU and memory - not disk - for the VM.

This seems counter-intuitive from a functionality standpoint. I know my customer wants the same reporting functionality FMC provides but with increased history. I get the sense the forced limitation is in order to keep interest in hardware appliance sales.  

Thank you for your reply, Marvin.  If you create a petition I'll gladly sign for increasing the capabilities of what should be unlimited scaling on the virtual FMC.  This certainly feels like paper handcuffs.

You're welcome.

"paper handcuffs" - I like that phrase. I will have to remember that one.

I haven't opened a formal enhancement request but will try to do so in the next couple of days. Generally when we open a formal enhancement request, it is assigned a BugID.

It is indeed an artifical limitation. Contrast it, for example with ISE. The large ISE appliance (SNS-3595) is a very beefy UCS-based server - just like FMC. But customers can deploy on a VM as long as they meet or exceed the CPU, disk and storage allocations.

Hi Will, that answer to you was not correct

you can get up to 49M on a vFMC and 250M on a 4500

please see: 

https://www.lammle.com/post/make-cisco-virtual-fmc-drastically-faster-5317/

 

After reading this I went over to my FMCv (6.2.3.1) to check out what limitations I had. 50,000,000 events is the limit on the Connection Database. However, there are "Connection Events" and "Security Intelligence Events" in this specific database and you must split the 50mil between the two, in any fashion you see fit...

 

The other databases such as "Connection Summary Database" also allowed me to bump it up-to a max of 50,000,000 events.

 

I previously had these numbers at 10,000,000 and was holding approx. 3 days worth of events. I'll keep it at 50mil and see how the disk space is impacted.

 

Thanks Todd, always enjoy the tips!

 

Brandon

Yes, what you say is true, but the intrustion events at 1M is more than enough. That’s huge! If you get 1M events your in trouble

I’ve had no problems with 49 M connection events on my vFMC

Todd Lammle


michoudi
Level 1
Level 1
Isn't it written in Cisco documentation somewhere that connection logging to the FMC is meant more for troubleshooting purposes? Longer term log storage for legal/compliance purposes should be sent to an external syslog server.

I’m sure that’s the idea, but how can you trouble shoot with just a couple millions events or even 10 million? I have customers that get the in a less than a minute…


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: