Cisco Cisco Firepower Management Center 2000 Guía Para Resolver Problemas
The datapoints for this algorithm are:
Source IP
●
Destination IP
●
3-Tuple Algorithm in Software Version 5.3 or Lower on Firepower and FTD
appliances
appliances
On all prior Versions (5.3 or lower), Snort uses a 3-tuple algorithm. The datapoints for this
algorithm are:
algorithm are:
Source IP
●
Destination IP
●
IP Protocol
●
Any traffic with the same source, destination, and IP Protocol are load balanced to the same
instance of Snort.
instance of Snort.
5-Tuple Algorithm in Software Version 5.4, 6.0, and Greater
On Version 5.4, 6.0 or greater, Firepower Services uses a 5-tuple algorithm. The datapoints that
are taken into account are shown below:
are taken into account are shown below:
Source IP
●
Source Port
●
Destination IP
●
Destination Port
●
IP Protocol
●
The purpose of adding ports to the algorithm is to balance traffic more evenly when there are
specific source and destination pairs that account for large portions of the traffic. By adding the
ports, the high order ephemeral source ports should be different per flow, and should add
additional entropy more evenly balancing traffic to different snort instances.
specific source and destination pairs that account for large portions of the traffic. By adding the
ports, the high order ephemeral source ports should be different per flow, and should add
additional entropy more evenly balancing traffic to different snort instances.
Total T
The total throughput of an appliance is based on the combined ability of all the snort instances
working to their fullest potential. You can estimate the performance rating of an individual Snort
instance by taking the rating of the appliance and dividing that by the number of Snort instances
that are running.
working to their fullest potential. You can estimate the performance rating of an individual Snort
instance by taking the rating of the appliance and dividing that by the number of Snort instances
that are running.
For instance, a 8250 appliance is rated at 10 Gbps for IPS and has 22 instances of Snort running.
Therefore, the single Snort performance threshold would be 10,000 Mbps / 22 instance = 454
Mbps per Snort instance. Now some of the appliances may slightly underrated, therefore a single
Snort instance may process slightly more than this algorithm would give you. The 8250 appliance
is one of them, usually it peaks at 500 Mbps per Snort instance.
Therefore, the single Snort performance threshold would be 10,000 Mbps / 22 instance = 454
Mbps per Snort instance. Now some of the appliances may slightly underrated, therefore a single
Snort instance may process slightly more than this algorithm would give you. The 8250 appliance
is one of them, usually it peaks at 500 Mbps per Snort instance.
Another example would be an ASA 5516 with the Firepower services. The ASA 5516 is rated at a
maximum throughput of
maximum throughput of
Test Result of a Third Party Tool