In all my travels, I visit a heck of a lot of customers with a variety of Firepower gear and different Firepower Management Centers (FMCs). What I often find is that most of my customers have her been oversold or undersold on the processing/storage/memory for their FMC hardware. Now, in the sales person’s defense, finding the right FMC for a large network isn’t that easy. So, they look for a quick fix. If they can sell the best, most expensive 4500, which is the largest/fastest Cisco has to offer, they’ll be good! It’s a one size fits all solution. Until, of course, the customer realizes they’ve been oversold. Or they find out, when someone finally configures Firepower Threat Defense (FTD) correctly, that they were sorely undersold!

Unfortunately, this is a common occurrence. I have been to a lot of large schools and Fortune 50 companies with FTD 4150/9300s, which are some very powerful Next Generation Firewalls (NGFW) devices. I continue to see the same scenario play out. For example, in the last month, I’ve consulted with large school districts in both Nevada and Ohio. Each district had more internal groups with admins in each location responsible for hundreds of thousands of students. Additionally, each department had multiple 9300s to manage. Yet somehow one of these admin groups was sold a FMC 2000, while at the same time the others were sold 2500s and 4500s with no rhyme or reason as to why or how each received what they did. s we were working on the policies, configuration, and most importantly, the network analysis, we watched the FMC 2000 basically choke and die while the FMC 4500 kept moving along with the same configurations/devices. To say this admin and his boss were upset that they were undersold the 2000 instead of the FMC 2500, is an understatement. Their frustration is definitely justified considering Cisco is not going to give them a replacement for free. Is this a problem? Yes. Do I see this all the time? Yes. Was the FMC 2000 EOL when sold? Yes!

How do you get the right FMC on a budget? (Cisco Firepower and budget are mutually exclusive!) Well, the best way is to test it in production to find out, just like my customer did in Ohio with the FMC 2000…yikes! However, this list will help you make sure you’re getting the right FMC for your network.

A couple of quick thoughts:

1. Max sensors are just that and, in my experience, cutting Cisco’s listed number of supported devices in half is a good rule of thumb (but this will vary with FTD types, number of users, bandwidth, and more).

2. The EPS/FPS is the Events per second/Flow per second the FMC can handle and all-so-important!

Virtual FMC

This is a very, very useful FMC and I have at least 20 of these spun up in my lab at any time. Cheap, easy, and you can enable the eval license for up to a year if you want to do labing (and class)! You can only have up to 25 devices, but I wouldn’t put more than 8 pairs total in production with lower end FTD devices such as 5506/8/16s. Once you go up to the 5525/45/55/2100, then I’d bring down the amount of devices you’re using, or upgrade to a hardware FMC. If you’re using FTD 4100/9300s, just skip this section on the vFMC as it’s not for your production network at all.

Details:

· Retail Price: 2 devices $500, 25 devices $10,795 (reality: Basically Free)

· Max Sensors: 25

· IPS events: 10M

· Connection events: Up to 50M

· RAM: Up to 16G

· Firepower: 50,000 users/50,000 hosts

· Event Storage: 250G

· EPS/FPS: depends on system (but very low in comparison)

How do you find the maximum number of Connection Events you can store on your FMC? That’s a great question! Go to System>Configuration>Database

The default on all FMCs is 1,000,000…a ridiculously small amount. If you don’t know about this setting, you won’t even know it’s low. Set the Maximum connection to just over a billion: 1,000,000,001. Click Save and the system will now provide the maximum for your FMC.

 

You can see in this screen shot, the vFMC is now at 50Million total.

 

What about the other settings? Although you can change the amount of IPS events stored, as shown in my details of each FMC listed below, I wouldn’t change much of anything else. Be careful here. The only setting you can really safely change is the most important one: Maximum Connection Events.

 

Hardware FMCs

1000

Details:

· Retail Price: $24,800.01 (reality: <$7500 each when bought in HA pairs)

· Max Sensors: 50

· IPS events: 30M

· Connection events: Up to 90 M

· RAM: 32G

· Firepower: 50,000 users/50,000 hosts

· Event Storage: 900G

· EPS/FPS: 5,000

 

2500

Details:

· Retail Price: $63,235.00 (reality: <$25k each when bought in HA pairs)

· Max Sensors: 300

· IPS events: 60M

· Connection events: Up to 300 M

· RAM: 64G

· Firepower: 150,000 users/ 150,000 hosts

· Event Storage: 1.8T

· EPS/FPS: 12,000

At a list price of $63,235.00, this may make you take another look at the specs of the vFMC…

 

4500

Details:

· Retail Price: $116,804.98 (reality: <>$60k each when bought in HA pairs)

· Max Sensors: 750

· IPS events: 300M

· Connection events: Up to 1B

· RAM: 128G

· Firepower: 600,000 users/ 600,000 hosts

· Event Storage: 3.2T

· EPS/FPS: 20,000

With a whopping list price of $116,804.98 you’ll really need to be a school or non-profit to afford these. Remember that you’ll need two for HA!! (Cisco’s rep puts pinky to cheek and laughs like Dr. Evil while telling you this).

The 4150/55s and 9300 FTD devices are the best NGFW in the industry and they can send some data! 4500s are your only option today. This is a very important subject to understand because even with a 4500, it’s possible to overload.

 

EPS/FPS

This is a very important subject to understand because even with a 4500, it’s possible to overload.

I had a customer in D.C. that had 200 4150s in 100 pairs.The total cost was$100 Million dollars too! Wowza! Anyway, their 4150’s sent way more data than their 4500 FMC HA pair could handle as you can imagine! Looking at the 4500 bullet points above, you can see the small amount of events this device can receive, although in reality 20k EPS is a lot!

Just like the solution on the FMC 2000 I used in the above text, we offloaded all events to Splunk.

Now you can just imagine the Splunk salesman with his pinky to his cheek, can’t you? I think they all have their pinkly glued to their faces now that I think about it…

 

Want to learn more about Cisco's Firepower Management Systems? Check out Todd Lammle's Firepower Threat Defense Course, available in our All Access Pass. 

{{cta('4895ab9d-e3ce-430a-b055-614885571029')}}