Introduction

Release 7.3 introduces Performance Profiling for CPU Allocation, which traditionally is fixed per the Cisco Secure Firewall platform. In some use cases, such as dedicated VPN or IPS deployments, CPU cores allocated to the Data Plane or Snort are not fully used, resulting in over allocating CPU cores. The new Firewall Management Center Performance Profile controls CPU Core allocation to the Data Plane and Snort processes. Minimum support for Secure Firewall Threat Defense Virtual, Secure Firewall 4100 Series, and Secure Firewall 9300 Series are noted below:

Using Performance Profiles

By default, core allocation is fixed as defined by the Secure Firewall platform. Once a Performance Profile is deployed to a Secure Firewall, a manual reboot is mandatory for changes to take effect.

📘

Note

The FMC does not initiate a managed device auto-reboot when the performance profile is modified. The administrator must initiate a reboot of the managed device after the successful deployment.

Profile Options

Four pre-defined profiles are provided:

• VPN-heavy with prefilter fastpath: CPU Cores allocated at a 90:10 ratio
  • 90% to Data Plane; 10% to Snort
• VPN-heavy with inspection: CPU cores allocated at a ratio of 60:40
  • 60% to Data Plane; 40% to Snort
• IPS-heavy: CPU cores allocated at a ratio of 30:70
  • 30% to Data Plane; 70% to Snort
• Default
  • Disabled; CPU cores allocated based on platform

By adjusting CPU core allocation, Snort workloads can be increased with CPU cores from the Data Plane while leaving the minimum required cores to handle ingress bandwidth. Alternatively, Data Plane workloads can be increased with CPU cores from Snort. Where either IPS or VPN workloads are favored, you can further tune the managed device to more efficiently handle incoming bandwidth.

Configuration

Performance Profiling for CPU Allocation first requires a Platform Settings policy to be created or optionally, the Performance Profile can be added to an existing Platform Settings policy. Login to your FMC and follow the steps below:

Step 1: Navigate to Devices > Platform Settings.
Step 2: Click New Policy > Threat Defense to add a new Platform Settings policy.

Step 3: Enter a unique Name. Optionally, enter a Description.

Step 4: Under Available Devices, select the applicable firewall(s) for this policy.

Step 5: Click Add to Policy.

Step 6: Click Save.

Step 7: Click on Performance Profile, which displays the configurable options for each Performance Profile.

Notice that the Default performance profile is selected. Cores are allocated per the Secure Firewall platform.

Step 8: Choose the option most applicable to the managed device. For this example, VPN heavy with inspection is configured.

1. A warning appears stating that a manual reboot is required for the performance profile configuration to take effect on the device. Click Yes.

Step 9: Save and Deploy changes.

1. Click Save and then click Deploy.
2. Select the applicable device(s) from the deployment menu.
3. Click Deploy.

4. The deployment menu will display a Validation Warning requiring a manual reboot to apply the Performance Profile. Acknowledge the warning by clicking Proceed with Deploy.

Step 10: Once the deployment completes, reboot the applicable managed device(s) that were assigned in the Performance Profile in Step 4.

Configuration Limitations

Software Version

This feature is limited to Release 7.3 and above. A pre-deployment warning displays when an attempt is made to deploy the configuration to a device running older versions.

Standalone Only

The Performance Profile is limited to standalone devices. A pre-deployment warning displays when an attempt is made to deploy the configuration to a high-availability pair. However, High-Availability (HA) is still possible using the Default performance profile.

Clustering is not Supported

As with HA pairs, clustering in not supported, all nodes must use the Default performance profile. Because clusters are created on the 4100/9300 Series via Chassis Manager, there is no restriction from FMC for these devices. However, FMC will not push any performance profile modifications to an FTD cluster.

For Secure Threat Defense Virtual, similar behavior occurs when the device(s) have a Performance Profile other than the Default profile. Forming a single or multiple node Secure Threat Defense Virtual cluster is allowed only if the control and data nodes use the Default Performance Profile. Otherwise, a validation warning will be displayed if the Default performance profile is not selected.

Verification and Troubleshooting

Once a deployment completes, navigate to Devices > Device Management.

1. Click on the pencil icon to edit the device.
2. Click on the Device tab.
3. Under the General widget, the Performance Profile setting is shown.

Alternatively, the show allocate-core profile command from the FTD CLI displays the Performance Profile applied to the device.

> show allocate-core profile

Core allocation profile is set to : vpn-heavy-with-inspection
> 

The show allocate-core lina-cpu-percentage command from the FTD CLI displays the current core percentage allotted to the Data Plane.

> show allocate-core lina-cpu-percentage

Lina CPU percentage is set to : 60
> 

Summary

Implementing Performance Profiling for CPU Allocation allows the administrator to change the percentage of system cores allocated to the Data Plane and Snort processes to adjust system performance. Adjustments are based on the managed devices' VPN and IPS use cases, the following limitations should be observed:

• Support for Secure Firewall 4100 Series and Secure Firewall 9300 Series in native mode only.
• High-Availability and Cluster configurations are not supported unless using the Default Performance profile.

This feature provides a means to skew core allocation to the Data Plane (for VPN) or Snort (for Intrusion Inspection) for various workloads.

📚Additional Resources

• Cisco Secure Firewall Threat Defense Release Notes - 7.3
• Cisco Secure Firewall Management Center Configuration Guide - 7.3