Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1547
Views
0
Helpful
2
Replies

Scalability of the FMC platform + SOC/SIEM question ( eStreamer)

Go to solution
hagroot_cisco
Level 1
Level 1

‎07-30-2021 02:28 AM

We currently use vFMC v6.6 to manage firepowers.

This is currently a single VM on our VM platform. The firepowers are sending their events to the FMC. So the FMC is the log-server. Is there a possibility to use scalability with the FMC platform? As in: If we connect more firepowers to the FMC and the diskspace gets full because of the logging , are we able to scale up more FMC instances for the same enviroment? Or is the only way to setup a new vFMC enviroment and connect the new firepowers to this vFMC instance?

We would like to connect the FMC also to our SOC/SIEM solution. We did some investigation and as far as we can see, we need to use a eStreamer. Here also comes in the scalability question. We do see that the eStreamer on the FMC side is just an API that will respond to requests from the eStreamer client.  This means that the client pulls the data from the FMC , and that the FMC is not pushing the data to the SOC/SIEM itself.

What we know from other NGFW vendors ( and how we have implemented it) is that the management/log-server is pushing the event/connection/syslog to a log-collector. this logcollectors are behind a loadbalancer so we can easily scale up logcollectors if needed.

As far as we can see , with FMC the event/connection/syslog is pulled from the management-server , so that traffic can't be scaled by a loadbalancer.

And what happens if we do not set the eStreamer globally on the whole enviroment,  but on the specific domain? are the logs for the firewalls residing in this domain still sent to the FMC as soon as we make use of an eStreamer? so will the logs be visible on 2 places? FMC for administrators and eStreamer for our SOC?

Anyone has experience with this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-31-2021 05:20 AM

There is no option to cluster multiple FMCs for more event storage. You can migrate the standard FMC virtual to the larger v300 series VM.

You have the option to send event logs directly to a non-FMC syslog server.

Also, in 7.0 we have the option to use the more scalable Secure Network Analytics (SNA, former Stealthwatch Enterprise) as a data store.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-31-2021 05:20 AM

There is no option to cluster multiple FMCs for more event storage. You can migrate the standard FMC virtual to the larger v300 series VM.

You have the option to send event logs directly to a non-FMC syslog server.

Also, in 7.0 we have the option to use the more scalable Secure Network Analytics (SNA, former Stealthwatch Enterprise) as a data store.

0 Helpful

Go to solution
hagroot_cisco
Level 1
Level 1
In response to Marvin Rhoads

‎08-01-2021 10:55 PM

That clarifies it all! Many thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card