We recently deployed Cisco Firepower Threat Defense (FTD) on our perimeter, but we are seeing significant latency during peak hours. I've checked the basic interface stats, but everything looks normal. Are there specific internal engine checks I should be running to find the bottleneck?
3 answers
Throughput issues on FTD are often related to the Snort engine or the Prefilter policy. You should start by running the command "system support platform dump-thr-stats" to see if any specific snort instances are pegged at 100%. Often, a "heavy" rule or an unoptimized SSL inspection policy is the culprit. If you are doing deep packet inspection on high-bandwidth, trusted traffic like encrypted backups, you should implement a Prefilter Fast-Path rule to bypass the Snort engine entirely for those specific flows, which significantly reduces the CPU load on the firewall.
Is it possible that the hardware itself is undersized for the amount of encrypted traffic we are inspecting, or does FTD have a way to offload SSL decryption to a dedicated hardware chip?
Always check your intrusion rules first. Sometimes a single "balanced" policy update adds a signature that triggers on legitimate internal traffic, causing a massive spike in latency.
Great point, Karen. I’ve seen cases where a generic DNS signature caused the Snort engine to inspect every single internal query, which crippled the firewall's performance during morning logins.
William, the newer Firepower 2100 and 4100 series have dedicated crypto-acceleration hardware, but it still has limits. You should check your "show asp drop" counters. If you see many drops related to "ssl-state-failure," it’s a sign the hardware is struggling with the handshake volume. In that case, you might need to reconsider your decryption policy or upgrade to a higher-spec appliance.