Cisco Cisco Firepower Management Center 2000 문제 해결 가이드
Contents
Introduction
Processing of Traffic by Snort
2-Tuple Algorithm in ASA with FirePOWER Services and NGIPS Virtual
3-Tuple Algorithm in Software Version 5.3 or Lower on Firepower and FTD appliances
5-Tuple Algorithm in Software Version 5.4, 6.0, and Greater on Firepower and FTD appliances
Total Throughput
Test Result of a Third Party Tool
Remediations
Intelligent Application Bypass (IAB)
Identify and Trust the Large Flows
Related Documents
Introduction
The result of any bandwidth speed testing website, or the output of any bandwidth measurement
tool (for example, iperf) may not exhibit the advertised throughput rating of the Cisco Firepower
appliances. Similarly, the transfer of a very large file over the FTP or HTTP protocol does not
demonstrate the advertised throughput rating of a Firepower appliance. It occurs because the
Firepower service does not use a single network flow to determine its maximum throughput. This
document describes why a single flow consumes the entire rated throughput of a Cisco Firepower
appliance.
tool (for example, iperf) may not exhibit the advertised throughput rating of the Cisco Firepower
appliances. Similarly, the transfer of a very large file over the FTP or HTTP protocol does not
demonstrate the advertised throughput rating of a Firepower appliance. It occurs because the
Firepower service does not use a single network flow to determine its maximum throughput. This
document describes why a single flow consumes the entire rated throughput of a Cisco Firepower
appliance.
Contributed by Nazmul Rajib, and Foster Lipkey, Cisco TAC Engineers.
Processing of Traffic by Snort
The underlying detection technology of the Firepower service is Snort. The implementation of
Snort on the Cisco Firepower appliance is a single thread process for traffic processing. An
appliance is rated for a specific rating based on the total throughput of all flows going through the
appliance. It is expected that the appliances are deployed on a Corporate network, usually near
the border edge and works with thousands of connections.
Snort on the Cisco Firepower appliance is a single thread process for traffic processing. An
appliance is rated for a specific rating based on the total throughput of all flows going through the
appliance. It is expected that the appliances are deployed on a Corporate network, usually near
the border edge and works with thousands of connections.
The Firepower Services measure the maximum throughput of an appliance by load balancing
traffic to a number of different running processes for snort - one snort process for each CPU on
the appliance. However, the Firepower services load balance traffic evenly on a per packet basis
across all instances of Snort. Snort needs to be able to reassemble the connections. If Snort
doesnot reassemble these sessions, an intrusion prevention system could be evaded by
fragmenting the packets in such a way that a Snort rule may be less likely to match. For each
individual Snort instance to be able to reassemble traffic, the Firepower service must send all
traffic from any connections to the same Snort instance. Therefore, the load balancing
algorithm is based on connection information that can uniquely identify a given connection.
traffic to a number of different running processes for snort - one snort process for each CPU on
the appliance. However, the Firepower services load balance traffic evenly on a per packet basis
across all instances of Snort. Snort needs to be able to reassemble the connections. If Snort
doesnot reassemble these sessions, an intrusion prevention system could be evaded by
fragmenting the packets in such a way that a Snort rule may be less likely to match. For each
individual Snort instance to be able to reassemble traffic, the Firepower service must send all
traffic from any connections to the same Snort instance. Therefore, the load balancing
algorithm is based on connection information that can uniquely identify a given connection.
2-Tuple Algorithm in ASA with FirePOWER Services and NGIPS Virtual
On the ASA with FirePOWER Service platform and NGIPS virtual, Snort uses a 2-tuple algorithm.