Cyber Security

What are the most common troubleshooting steps for Cisco Firepower (FTD) throughput issues?

JO Asked by Joseph King · 22-06-2024
0 upvotes 16,539 views 0 comments
The question

We recently deployed Cisco Firepower Threat Defense (FTD) on our perimeter, but we are seeing significant latency during peak hours. I've checked the basic interface stats, but everything looks normal. Are there specific internal engine checks I should be running to find the bottleneck? 

3 answers

0
N
Answered on 15-08-2024

Throughput issues on FTD are often related to the Snort engine or the Prefilter policy. You should start by running the command "system support platform dump-thr-stats" to see if any specific snort instances are pegged at 100%. Often, a "heavy" rule or an unoptimized SSL inspection policy is the culprit. If you are doing deep packet inspection on high-bandwidth, trusted traffic like encrypted backups, you should implement a Prefilter Fast-Path rule to bypass the Snort engine entirely for those specific flows, which significantly reduces the CPU load on the firewall. 

0
WI
Answered on 18-08-2024

Is it possible that the hardware itself is undersized for the amount of encrypted traffic we are inspecting, or does FTD have a way to offload SSL decryption to a dedicated hardware chip?

JO 20-08-2024

William, the newer Firepower 2100 and 4100 series have dedicated crypto-acceleration hardware, but it still has limits. You should check your "show asp drop" counters. If you see many drops related to "ssl-state-failure," it’s a sign the hardware is struggling with the handshake volume. In that case, you might need to reconsider your decryption policy or upgrade to a higher-spec appliance.

0
KA
Answered on 22-08-2024

Always check your intrusion rules first. Sometimes a single "balanced" policy update adds a signature that triggers on legitimate internal traffic, causing a massive spike in latency.

NA 23-08-2024

Great point, Karen. I’ve seen cases where a generic DNS signature caused the Snort engine to inspect every single internal query, which crippled the firewall's performance during morning logins.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session