Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4473
Views
20
Helpful
5
Replies

Virtual FMC vs Appliance FMC

Go to solution
shabeeb
Level 1
Level 1

‎07-05-2020 10:19 AM

Hi Experts,

 

I would like to upgrade from virtual FMC to an appliance based FMC. 

IMO, the appliance always wins, but i need to build a business case for this shift. I've noted a few points to justify this requirement, but i need a lot more to convince the stakeholders that its the right move to take.

 

  1. I currently have 5 x FTDs 2100 series & have upcoming requirements to add around 5-6 more FTDs (2100 & 1100 series). vFMC although it supports upto 25sensors, the logging will get drastically impacted. 
  2. vFMC will only support upto 1mil connection logs which will not assist with log retention policies
  3. vFMC is more prone to Connection event losses, this means, certain connection events might not be documented at the end of the day. 
  4. vFMC UI & UX is much slower than Appliance FMC
  5. Deep packet inspection & event analysis is also effected due to the virtual limitations
  6. On integration with different estreamers (like splunk etc), the vFMC will again become slower which might lead to more data losses or failure to store logs.

 

Any further data will be very much appreciated.

 

My challenge is that all the above issues mostly point towards the log retention. How do i justify to the business that the Appliance FMC is the best for the organisation even though we are using SEIM solutions like Splunk in our environment. 

I have attached a pic i have received of the internet that explains the different features that are distributed over different layers for your reference. 

 

TIA, 

Shabeeb

 

Preview file
114 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎07-05-2020 01:20 PM

Ultimately the answer to your question is based on how large the network is (how much traffic will be logged and number of FTDs to manage).

The other thing to consider is that you need to Thick provision resources to the vFMC.  If the vFMC is sharing resources with other VMs this will drastically affect performance on the FMC.  You also have to make sure that the interface on the vFMC is configured to support 10Gig or you will run into a possible bottle-neck issue.

Functionality wise, other than lack of ability to configure it in an HA pair, vFMC can do everything an appliance FMC can do.  For example, the FMCv300 can be compaired to the FMC 2600 appliance as long as you allocate the correct amount of resources.

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmcv/fpmc-virtual/fpmc-virtual-vmware.html

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html#Platformspecifications

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎07-05-2020 10:44 AM

Currently you cannot configure the virtual FMC in HA, meaning if during an outage or upgrade you’ll be unable to manage the FTDs, receive logs nor perform cloud lookups, if using AMP.

Go to solution
shabeeb
Level 1
Level 1
In response to Rob Ingram

‎07-05-2020 11:11 PM

Thanks Rob. Ill definitely consider this.
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎07-05-2020 01:20 PM

Ultimately the answer to your question is based on how large the network is (how much traffic will be logged and number of FTDs to manage).

The other thing to consider is that you need to Thick provision resources to the vFMC.  If the vFMC is sharing resources with other VMs this will drastically affect performance on the FMC.  You also have to make sure that the interface on the vFMC is configured to support 10Gig or you will run into a possible bottle-neck issue.

Functionality wise, other than lack of ability to configure it in an HA pair, vFMC can do everything an appliance FMC can do.  For example, the FMCv300 can be compaired to the FMC 2600 appliance as long as you allocate the correct amount of resources.

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmcv/fpmc-virtual/fpmc-virtual-vmware.html

https://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-736775.html#Platformspecifications

--
Please remember to select a correct answer and rate helpful posts

Go to solution
shabeeb
Level 1
Level 1
In response to Marius Gunnerud

‎07-07-2020 02:02 PM

Hi Marius,

Sorry for the late reply. Thanks for your response.

As far as my vFMC is concerned, lets just say that with our current vFMC, we have a local log retention of a few days max.

The physical host of the VM is not being shared by anything else, but however, the uplink of this server is 1Gig. I checked the server & unfirtunately, we dont have a 10Gig NIC. Ill possibly use this as a good point to prove my point.

Additionally, i had no idea FMCv300 was available. Looks like it was released a few months back.
Eitherway, thanks for the info.

BR,
Shabeeb
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to shabeeb

‎07-08-2020 11:04 AM

As for the logging, the FMC is set to default to a very low log retention.  If you go to System > Configuration > Database and find the Database you want to have a longer log retention for and increase the Maximum Connection Events. I have mine set to 100,000,000 but I have read of others that have this sett to 1 billion.  Before changing this be sure you have enough storage space on your VM so you don't use up all the space for logging.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card