cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4453
Views
20
Helpful
5
Replies

Virtual FMC vs Appliance FMC

shabeeb
Level 1
Level 1

Hi Experts,

 

I would like to upgrade from virtual FMC to an appliance based FMC. 

IMO, the appliance always wins, but i need to build a business case for this shift. I've noted a few points to justify this requirement, but i need a lot more to convince the stakeholders that its the right move to take.

 

  1. I currently have 5 x FTDs 2100 series & have upcoming requirements to add around 5-6 more FTDs (2100 & 1100 series). vFMC although it supports upto 25sensors, the logging will get drastically impacted. 
  2. vFMC will only support upto 1mil connection logs which will not assist with log retention policies
  3. vFMC is more prone to Connection event losses, this means, certain connection events might not be documented at the end of the day. 
  4. vFMC UI & UX is much slower than Appliance FMC
  5. Deep packet inspection & event analysis is also effected due to the virtual limitations
  6. On integration with different estreamers (like splunk etc), the vFMC will again become slower which might lead to more data losses or failure to store logs.

 

Any further data will be very much appreciated.

 

My challenge is that all the above issues mostly point towards the log retention. How do i justify to the business that the Appliance FMC is the best for the organisation even though we are using SEIM solutions like Splunk in our environment. 

I have attached a pic i have received of the internet that explains the different features that are distributed over different layers for your reference. 

 

TIA, 

Shabeeb

 

1 Accepted Solution

Accepted Solutions

Ultimately the answer to your question is based on how large the network is (how much traffic will be logged and number of FTDs to manage).

The other thing to consider is that you need to Thick provision resources to the vFMC.  If the vFMC is sharing resources with other VMs this will drastically affect performance on the FMC.  You also have to make sure that the interface on the vFMC is configured to support 10Gig or you will run into a possible bottle-neck issue.

Functionality wise, other than lack of ability to configure it in an HA pair, vFMC can do everything an appliance FMC can do.  For example, the FMCv300 can be compaired to the FMC 2600 appliance as long as you allocate the correct amount of resources.

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmcv/fpmc-virtual/fpmc-virtual-vmware.html

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html#Platformspecifications

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

5 Replies 5

Currently you cannot configure the virtual FMC in HA, meaning if during an outage or upgrade you’ll be unable to manage the FTDs, receive logs nor perform cloud lookups, if using AMP.

Thanks Rob. Ill definitely consider this.

Ultimately the answer to your question is based on how large the network is (how much traffic will be logged and number of FTDs to manage).

The other thing to consider is that you need to Thick provision resources to the vFMC.  If the vFMC is sharing resources with other VMs this will drastically affect performance on the FMC.  You also have to make sure that the interface on the vFMC is configured to support 10Gig or you will run into a possible bottle-neck issue.

Functionality wise, other than lack of ability to configure it in an HA pair, vFMC can do everything an appliance FMC can do.  For example, the FMCv300 can be compaired to the FMC 2600 appliance as long as you allocate the correct amount of resources.

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmcv/fpmc-virtual/fpmc-virtual-vmware.html

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html#Platformspecifications

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Sorry for the late reply. Thanks for your response.

As far as my vFMC is concerned, lets just say that with our current vFMC, we have a local log retention of a few days max.

The physical host of the VM is not being shared by anything else, but however, the uplink of this server is 1Gig. I checked the server & unfirtunately, we dont have a 10Gig NIC. Ill possibly use this as a good point to prove my point.

Additionally, i had no idea FMCv300 was available. Looks like it was released a few months back.
Eitherway, thanks for the info.

BR,
Shabeeb

As for the logging, the FMC is set to default to a very low log retention.  If you go to System > Configuration > Database and find the Database you want to have a longer log retention for and increase the Maximum Connection Events. I have mine set to 100,000,000 but I have read of others that have this sett to 1 billion.  Before changing this be sure you have enough storage space on your VM so you don't use up all the space for logging.

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card