Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4771
Views
15
Helpful
8
Replies

Increase Database Limits (Virtual FMC)

Go to solution
Will
Level 1
Level 1

‎03-06-2017 11:27 AM - edited ‎02-21-2020 06:01 AM

I am aware of the 10m cap on Virtual FMC database.  I have seen options for external database connections.  Am I misunderstanding this or is it possible to create some sort of SQL database on a server and give FMC access to utilize that database thus increasing the max events? 

The reason I am asking is I have a customer that needs to be able to pull data from months ago to see trends in user behavior if an audit becomes necessary.  As it is now, we're lucky to get 3 days of history before the database begins overwriting its "tail".  

If anyone has done this and has some experience or wisdom to share please help me out!  

Thank you in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-06-2017 02:54 PM

As far of the database that is exposed via the FMC tools, you can only use the built-in one with its 10M event limit (all event types). the best you can do using that is to change the allocation among the various categories to, say, favor connection or intrusion events in the allocation.

To go beyond that (without going to one of the hardware appliances)) you can log (connections etc.) to an external syslog server like Splunk, ELK stack, etc.

I have asked on behalf of other custoemrs if this is going to change going forward but have yet to receive an answer from Cisco. It seems like we should be able to give the FMCv more resources and let it have at it. Right now you can only increase the allocated CPU and memory - not disk - for the VM.

View solution in original post

8 Replies 8

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-06-2017 02:54 PM

As far of the database that is exposed via the FMC tools, you can only use the built-in one with its 10M event limit (all event types). the best you can do using that is to change the allocation among the various categories to, say, favor connection or intrusion events in the allocation.

To go beyond that (without going to one of the hardware appliances)) you can log (connections etc.) to an external syslog server like Splunk, ELK stack, etc.

I have asked on behalf of other custoemrs if this is going to change going forward but have yet to receive an answer from Cisco. It seems like we should be able to give the FMCv more resources and let it have at it. Right now you can only increase the allocated CPU and memory - not disk - for the VM.

Go to solution
Will
Level 1
Level 1
In response to Marvin Rhoads

‎03-07-2017 08:56 AM

This seems counter-intuitive from a functionality standpoint. I know my customer wants the same reporting functionality FMC provides but with increased history. I get the sense the forced limitation is in order to keep interest in hardware appliance sales.  

Thank you for your reply, Marvin.  If you create a petition I'll gladly sign for increasing the capabilities of what should be unlimited scaling on the virtual FMC.  This certainly feels like paper handcuffs.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Will

‎03-11-2017 10:48 PM

You're welcome.

"paper handcuffs" - I like that phrase. I will have to remember that one.

I haven't opened a formal enhancement request but will try to do so in the next couple of days. Generally when we open a formal enhancement request, it is assigned a BugID.

It is indeed an artifical limitation. Contrast it, for example with ISE. The large ISE appliance (SNS-3595) is a very beefy UCS-based server - just like FMC. But customers can deploy on a VM as long as they meet or exceed the CPU, disk and storage allocations.

0 Helpful

Go to solution
toddlammle
Level 1
Level 1
In response to Will

‎04-30-2018 08:33 AM

Hi Will, that answer to you was not correct

you can get up to 49M on a vFMC and 250M on a 4500

please see: 

https://www.lammle.com/post/make-cisco-virtual-fmc-drastically-faster-5317/

 

Go to solution
Brandon1
Level 1
Level 1
In response to toddlammle

‎05-03-2018 05:30 PM - edited ‎05-03-2018 05:34 PM

After reading this I went over to my FMCv (6.2.3.1) to check out what limitations I had. 50,000,000 events is the limit on the Connection Database. However, there are "Connection Events" and "Security Intelligence Events" in this specific database and you must split the 50mil between the two, in any fashion you see fit...

 

The other databases such as "Connection Summary Database" also allowed me to bump it up-to a max of 50,000,000 events.

 

I previously had these numbers at 10,000,000 and was holding approx. 3 days worth of events. I'll keep it at 50mil and see how the disk space is impacted.

 

Thanks Todd, always enjoy the tips!

 

Brandon

0 Helpful

Go to solution
toddlammle
Level 1
Level 1
In response to Brandon1

‎05-04-2018 11:04 AM

Yes, what you say is true, but the intrustion events at 1M is more than enough. That’s huge! If you get 1M events your in trouble

I’ve had no problems with 49 M connection events on my vFMC

Todd Lammle


0 Helpful

Go to solution
michoudi
Level 1
Level 1

‎05-04-2018 11:16 AM

Isn't it written in Cisco documentation somewhere that connection logging to the FMC is meant more for troubleshooting purposes? Longer term log storage for legal/compliance purposes should be sent to an external syslog server.
0 Helpful

Go to solution
toddlammle
Level 1
Level 1
In response to michoudi

‎05-05-2018 05:30 AM

I’m sure that’s the idea, but how can you trouble shoot with just a couple millions events or even 10 million? I have customers that get the in a less than a minute…


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card