Cisco Firepower Management Centers (FMCs) are expensive! Which one should you get?

In all my travels, I go to a whole heck of lot of customers with various Firepower gear and different FMC’s. What I have found is that most of my customers have either been oversold or undersold on the processing/storage/memory for their hardware FMC. To the sales persons defense, finding the right FMC for a large network isn’t that easy, so if they can they just sell the top most expensive 4500 (it’s the largest/fastest Cisco has and they’ll be good)! Yea, until the customer realizes they were oversold, or they find out (when someone finally configures FTD correctly), that they were sorely undersold!

The Cisco 1000, 2500 and 4500 all look about the same:

So why I am stopping my day to write this blog post? Because I have been to a lot of large schools and fortune 50 companies with FTD 4150/9300’s, which are some very powerful NGFW devices, and just in the last month, I’ve consulted in both Nevada and Ohio working at large school districts. Each of these had more internal groups with admins in each location responsible for hundreds of thousands of students, with each department having multiple 9300’s to manage. Yet somehow one of these admin groups was sold a FMC 2000, well at the same time the others were sold 2500’s and 4500’s with no rhyme or rhythm why or how each received what they did. This, unfortunately, is a common occurrence.

So, as we were working on the policies, configuration, and most importantly, the network analysis, we watched the FMC 2000 basically choke and die while the FMC 4500 just kept moving along with basically the same configurations/devices. To get the FMC 2000 working at all, we had to disable almost all logging (send to syslog/splunk). To say this admin and his boss were upset they were undersold the 2000 instead of a FMC 2500 at a minimum is an understatement, and they justly should be upset as Cisco doesn’t want to replace it for them at no cost. Is this a problem? Yes. do I see this all the time? Yes. Was the FMC 2000 EOL when sold. Yes!

So how do you get the right FMC on a budget? (Cisco Firepower and budget are mutually exclusive!). Well, you need to test it in production to find out, just like my customer did in Ohio with the FMC 2000…yikes! However, hopefully this small bullet pointed list will help you make sure you’re getting the right FMC for your network.

**BUT First, before we go on, are you even sure you bought the correct FTD’s? Well, this FMC blog will be long enough as it is, so I’ll just add a new blog post for you on  how to find the FTD that’s right for you! Here it is ..and the post is much shorter, and picking an FTD is much easier than picking a FMC!

Couple quick thoughts:

  1. Max sensor are just that, and with my experiences, cutting Cisco’s listed number of supported devices in half is a good rule of thumb (but this will vary on FTD types and number of users, bandwidth and more).
  2. The EPS/FPS is the Events per second/Flow per second the FMC can handle and all-so-important! (discussed at the end of this post in order to make this even longer!)

Virtual FMC

First, I already have posted info about the vFMC here: vFMC Blog post

This is a very, very useful FMC and I have at least 20 of these spun up in my lab at any time. Cheap and easy, and you can enable the eval license for up to a year if you want to do labing (and class!). You can only have up to 25 devices, but I wouldn’t put in more than 8 pairs total in production with lower end FTD devices such as 5506/8/16’s. Once you go up to the 5525/45/55/2100, then I’d bring down the amount of devices you’re using, or upgrade to a hardware FMC. If your at FTD 4100/9300’s, just skip this section on the vFMC as it’s not for your production network at all.

Details:

  • Retail Price: 2 devices $500, 25 devices $10,795 (reality: Basically Free)
  • Max Sensors: 25
  • IPS events: 10M
  • Connection events: Up to 50M
  • RAM (Up to 16G)
  • Firepower: 50,000 users/50,000 hosts
  • Event Storage: 250G
  • EPS/FPS: depends on system (but very low in comparison)

So how do you find the maximum number of Connection Events you can store on your FMC? That’s a great question! Doesn’t seem to written down anywhere, so here is how you find out. Go to System>Configuration>Database

The default on ALL FMC’s is 1,000,000…a ridiculous small amount, and if you don’t know about this setting, you won’t even know it’s low. So, set the Maximum connection to just over a billion like so: 1,000,000,001. Click save and the system will now provide the maximum for your FMC. You can see in this screen shot, the vFMC is now at 50Million total.

What about the other settings? Although you can change the amount of IPS events stored as shown in my details of each FMC listed below, I wouldn’t change much of anything else. Be careful here. The only setting you can really safely change is the most important one: Maximum Connection Events, which is the logging of your ACP rules.

Hardware FMC’s

1000

Details:

  • Retail Price: $24,800.01 (reality: <$7500 each when bought in HA pairs)
  • Max Sensors: 50
  • IPS events: 30M
  • Connection events:  Up to 90 M
  • RAM: 32G
  • Firepower: 50,000 users/50,000 hosts
  • Event Storage: 900G
  • EPS/FPS: 5,000

2500

At a list price of $63,235.00, this may make you take another look at the specs of the vFMC…

Details:

  • Retail Price: $63,235.00 (reality: <$25k each when bought in HA pairs)
  • Max Sensors: 300
  • IPS events: 60M
  • Connection events:Up to 300 M
  • RAM: 64G
  • Firepower: 150,000 users/ 150,000 hosts
  • Event Storage: 1.8T
  • EPS/FPS: 12,000

4500

With a whopping list price of $116,804.98 you’ll really need to be a school or non-profit to afford these…and just to remind you, and make it even more real, remember that you’ll need two for HA!! (Cisco’s rep puts pinky to cheek and laughs like Austin Powers well telling you this)…

The 4150/55’s and 9300 FTD devices are the best NGFW in the industry and they can send some data! 4500’s are your only option today.

Details:

  • Retail Price: $116,804.98 (reality: <>$60k each when bought in HA pairs)
  • Max Sensors: 750
  • IPS events: 300M
  • Connection events: Up to 1B
  • RAM: 128G
  • Firepower: 600,000 users/ 600,000 hosts
  • Event Storage: 3.2T
  • EPS/FPS: 20,000

EPS/FPS

This is an all so important (I’ll keep it short)  to understand subject because even with a 4500, it’s possible to overload that.

I had a customer in D.C. that had two-hundred 4150’s in 100 pairs….yes, and they paid $100 Million dollars too! Wowza! Anyway, their 4150’s sent way more data than their 4500 FMC HA pair could handle as you can imagine! Looking at the 4500 bullet points above, you can see the small amount of events this device can receive, although in reality 20k EPS is a lot!

 

Just like the solution on the FMC 2000 used in the above text, we offloaded ALL events to Splunk to solve this issue.

Now you can just imagine the Splunk salesman with his pinky to his cheek, can’t you? I think they all have their pinkly glued to their faces now that I think about it…

9 Comments

  1. Hi Todd

    I have FMC 4500.

    Point to be Noted: The sum of Connection and Security Intelligence Database events must not exceed 1,000,000,000

    Currently my Maximum Connection Events (0 = do not store) and Maximum Security Intelligence Events is set 3 Million each. I am sending logs to our SIEM.

    But when I change the Maximum Connection Events to 997,000,000‬, I get FMC error “Connection Events Database must be between 0 and 1,000,000,000, inclusive.”

    Also when I changed the value of Maximum Connection Events to 4 Million, I am not seeing connection events under Dashboard Analysis and there is Policy deployment waiting to be deployed.

  2. After playing with the numbers.. I was able to apply 997000000‬..I first tried 900 Million( 900000000 )and then 997. It Worked.. Thanks.

    1. yes, with 3M for SI that is 1 Billion
      however, that is SO many events that you might not be able to bring the tables up because it will take too long to load
      you may consider lowering this to 500-600 million max so that the tables can load

  3. hi. is there any command or log file what i can view concurrent eps on FTD and FMC for capacity planning?

  4. Any thoughts on the FMCv-300? I know with sensor count it is comparable to the FMC 2600, but would you consider using one with FPR4k/9k’s?

    1. Sure, you’d still have to watch your logging levels with the high-end boxes but they are very powerful.
      The reason you’d choose the 300 over a hardware FMC is that your server will never go end of life. The UCS chassis changes about every 3 or so years, making spending so much on an FMC difficult. Although the price on the 300 might be slightly less than a hardware FMC, your server has to be really beefy. So if you already have a good server, you should be set.

    1. yes, go to System>Health Policy and then Monitor
      then click on the FMC on the left pane, and the database statistics will appear. These can be adjested in System Config>Database
      if you are running a lower 6.x code, you will not see this graphic

Leave a Reply

Your email address will not be published. Required fields are marked *