Lab Minutes Forum
Technical Discussion => Security => Topic started by: Administrator on February 11, 2016, 11:19:30 PM
-
With firepower 6.0 and Cisco ASA 9.4.2 O.S ..I am experiencing bandwidth degradation.
So, I would like to know if anyone want to upgrade from firepower 5.4 to 6.0 which firewall base IOS version should he take in use ? (Stable IOS )
-
How much degradation are you experiencing? A rule of thumb is you can only expect a third of the platform or regular throughput with IPS, Malware, URL turned on, probably even less (like 20%) with SSL decryption.
In terms of stability, the latest 9.4 and 9.5 should be fine although you may still want to review outstanding bugs for each release.
-
Degradation in meaning, when enabling SSL inspection then at that time also allowed websites are not opening with a minimum 10 to 15s delay or more. Means User are experiencing browsing slowness.
Is there any known bug or something for SSL inspection ?
Thanks,
Milin
-
Which model ASA are you running?
How many users? How much bandwidth?
-
It is ASA-5516-X with Firepower Services.
Around 200 Users, 50Mbps ILL Line.
-
10-15 sec delay to load a page is certainly not normal. Are you decrypting all SSL, or only selective categories?
-
Few websites are not opening at all, too.
Created 2 SSL policies only to decrypt few selected traffic for few categories only.
Internet Browsing experience is worst after redirecting traffic through firepower module.
-
Some site just won't work when using SSL decryption.
We use the WSA for all of our SSL decryption so I can't speak to the firepower module. I have only used it for SSL in the lab with a 5516.
On the WSA we have a custom category created for sites to exclude from decryption if they are problematic.
I suggest doing the same thing on the firepower.
Create a Distinguished name object group called Do not decrypt or whatever you like.
Add the URL's that you want
Then add a new rule to your SSL policy with the action do not decrypt and select the DN group you created
-
It is true that sometime you get different experience with certain sites and different web browsers when doing SSL decryption. Dump question, have you give the FP module a reload?
-
Hi Sucanushie/MC,
Thanks for your response.
But, If few SSL sites will not work with FP module then what's the meaning of using it ?
If I want to use WSA then why you should I purchase FP URL-Filtering License?
In production I am getting worst experience using URL Filtering with Firepower module.
May be I have reloaded FP module, but what is wrong with that ?
Because, Cisco has compulsory done that if your old contracts of CX module is getting expired then you must upgrade with firepower, but that is not at all stable yet.
Anyone suggest, when it will be stable as other firewalls ? (i.e PA)
Thanks,
Milin
-
I don't think that website not loading is specific to FP, but SSL decryption and sometime browser type. May be others who have used other SSL decryption product can chime in.
If you already use WSA for URL filtering, there is almost no reason to enable URL filtering on FP. In which case, you use FP for IPS, may be Malware protection.
Reloading FP module is just a troubleshooting step. Obviously you shouldn't keep reloading it to fix problem.
-
Agreed with what MC says.
The WSA does web filtering and SSL decryption better than the ASA with Firepower. At this time anyway.
We use the Firepower for Layer 7 rules, IPS and the AMP but not for URL filtering.
-
I know that WSA is better the FP module's URL Filtering.
My said was Url Filtering is not working as expected that's the reason we are running WSA with demo licenses.
-
BTW, milin1607, have you engaged Cisco Engineer on this issue. If so, what did they say?