Forum Discussion

KBrinkerhoff's avatar
KBrinkerhoff
Participant
19 days ago
Solved

Cloud-delivered FMC

Hi All, We're seeing a bit of an uptick in customers moving to the cloud-delivered firewall management center from Cisco as opposed to traditional virtual FMCs.  This seems to be a trend with Cisco...
powerpack
  • TaylorJohnson's avatar
    TaylorJohnson
    18 days ago

    "Best practices" will vary from user to user based on the parameters you have to work in, so I can't guide you to a definite answer there. If you're looking at the existing "pre-made" integrations for SL1, you'll have much more depth of monitoring with SNMP and/or Linux Base Pack to monitor FirePower devices. If you want to spend some time to whip up some REST API based dynamic applications to pull data from FMC and those other caveats I shared don't bother you, then that's a totally reasonable path to take as well. It mostly depends on what level of monitoring you're looking for and at what scale. 

    Creating a dynamic application to authenticate with FMC and collect the list of managed devices with basic config would be pretty simple and scale well, so if that's all you want, that's a reasonable approach. If you want detailed interface, cpu, memory and other performance metrics at the 1 minute or 5 minute interval along with collecting alarms, topology, and other things, then going through the FMC API may be the more difficult path as opposed to Cisco Base Pack and Linux Base Pack for each appliance. 

    Usually the "ideal" path is like you mentioned, Use the API to pull high level data (that may only be available in the API), then use SNMP/SSH directly to the appliances for the high fidelity, high volume data. If you choose to model the appliances through the rest API collections as components, you can merge those with the physical devices discovered via IP address in SL1. 

    If FirePower devices turn off connectivity features when in a managed mode, that does "throw a wrench" in things, and you will have to make some decisions on the fidelity and volume of monitoring you desire. 

KBrinkerhoff's avatar
KBrinkerhoff
Participant

Hey Taylor,

Appreciate the feedback on this.  Makes sense to me.  Would it be fair to say that best practice with SL1 for any FMC deployment is direct SNMP to the devices then?  Then potentially leverage the FMC for aggregate data?  We typically try to monitor and get backups from the FMC because once an FTD is managed by FMC you can no longer manage the FTD directly, but if the data gleaned from FMC is little to no different from direct SNMP then perhaps we should rethink that.  

TaylorJohnson's avatar
TaylorJohnson
Icon for Moderator rankModerator
18 days ago

"Best practices" will vary from user to user based on the parameters you have to work in, so I can't guide you to a definite answer there. If you're looking at the existing "pre-made" integrations for SL1, you'll have much more depth of monitoring with SNMP and/or Linux Base Pack to monitor FirePower devices. If you want to spend some time to whip up some REST API based dynamic applications to pull data from FMC and those other caveats I shared don't bother you, then that's a totally reasonable path to take as well. It mostly depends on what level of monitoring you're looking for and at what scale. 

Creating a dynamic application to authenticate with FMC and collect the list of managed devices with basic config would be pretty simple and scale well, so if that's all you want, that's a reasonable approach. If you want detailed interface, cpu, memory and other performance metrics at the 1 minute or 5 minute interval along with collecting alarms, topology, and other things, then going through the FMC API may be the more difficult path as opposed to Cisco Base Pack and Linux Base Pack for each appliance. 

Usually the "ideal" path is like you mentioned, Use the API to pull high level data (that may only be available in the API), then use SNMP/SSH directly to the appliances for the high fidelity, high volume data. If you choose to model the appliances through the rest API collections as components, you can merge those with the physical devices discovered via IP address in SL1. 

If FirePower devices turn off connectivity features when in a managed mode, that does "throw a wrench" in things, and you will have to make some decisions on the fidelity and volume of monitoring you desire.