Re: Rate limiting FTD's own traffic

cpaquet · ‎07-31-2023

Is there a way to rate limit the traffic generated by the FTD itself? Example: if VoIP is going through the Firewall, can we prioritize VoIP over the events traffic generated by the FTD itself?

I'm familiar with the QoS feature of FTD which permit basic rate limitation by assigning maximum throughput on user traffic. Is there a way we could use the FTD QoS feature to limit the outbound traffic a FTD is sending to the FMC, by, example limiting the traffic to FMC TCP/8305?

Or is the FTD like the ASA: It filters user traffic, but not the traffic generated by the FTD itself?

Thanks.

rhingel · ‎07-31-2023

Hello,

The feature you mean would be Control Plane Policing (CoPP), that is something that does exist on Cisco IOS, but it is not relevant to FTD.

The FTD has build-in control to protect it's control plane, the QoS rate limit you mean would affect the data plane.

cpaquet · ‎08-01-2023

Could you expand on the built-in control plane mechanisms in FTD to prevent overloading the system?

A more drastic approach, which would not be useful, but does provide strict control-plane control is using FlexConfig with the access-group xxxx control-plane command.

Rob Ingram · ‎08-01-2023

@cpaquet I am not aware of rate-limiting availability on the FTD control plane, but if you used a dedicated management interface instead of a data interface for communication to/from the FMC, then that management event traffic would be isolated.

cpaquet · ‎08-01-2023

Good point. Thanks.

rhingel · ‎08-01-2023

I am trying to think of an use case where you need to rate-limit the communication between the FTD and FMC, can you ellaborate on your requirement?

cpaquet · ‎08-01-2023

Example: In a data center (clustering, LISP, etc), where you are doing extension FTD logging to the FMC, but also you have multiple critical user applications. How would you configured the FTD to give precedence to user applications if there is contation for the bandwidht? Thus the possible need to throttling the FTD 'self-traffic'.

MHM Cisco World · ‎08-01-2023

Aasume you have upload 100 and download 500 and you want to give 25% to VoIP

So you can try add to QoS policy

One for app VoIP give it 25 and 125

And other for any IP give 75 and 375.

I am not sure it work but I dont think fpr have QoS like router and SW.

Rob Ingram · ‎08-01-2023

@cpaquet wrote:

Example: In a data center (clustering, LISP, etc), where you are doing extension FTD logging to the FMC

@cpaquet you can rate limit syslog traffic, this can be configured via platform settings policy and deployed to the managed FTD. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html#toc-hId--41694258

I believe QoS will only apply to traffic "through" the FTD, not "to" (traffic to/from the FTD itself).

MHM Cisco World · ‎08-01-2023

He is confused about data pass or initiate from FTD. I think meaning pass through ftd so he need qos policy.

cpaquet · ‎08-01-2023

@MHM Cisco World : Rob is not confused. He understand perfectly my original question which is: how can we throttling the traffic generated by FTD itself. This is considered traffic 'to/from' the firewall, and not traffic through the firewall.

cpaquet · ‎08-01-2023

Hi Rob, excellent suggestion to use syslog rate limit, if throttling for FTD 'self-traffic' is not available.

MHM Cisco World · ‎08-01-2023

Hi'

There are two QoS'

QoS of VoIP pass through FTD which applies to interface

But how QoS of VoIP generate from FTD itself? That you need to elaborate.

Thanks

MHM