Cisco Secure Firewall Management Center Snort 3 Configuration Guide, Version 7.4
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Elephant flows are extremely large (in total bytes), relative long-running network connections set up by a TCP (or other protocols)
flow measured over a network link. By default, elephant flows are flows or connections that are larger than 1 GB per 10 seconds.
They can cause performance duress or issues in Snort cores. Elephant flows are important because they can potentially consume
an excessive amount of CPU resources and impact other competing flows for detection resources and cause issues, such as increased
latency or packet drops.
Benefits of Elephant Flow Detection and Remediation
Elephant flow configuration allows customization and the option to bypass or even throttle elephant flows.
You can choose to bypass or throttle flows that are based on your chosen applications to provide Snort inspection of suspect
traffic, while bypassing more trusted traffic.
Elephant flow remediation helps prioritize and free up more bandwidth for your internal applications, depending on your specific
requirements.
Elephant Flow Workflow
When an elephant flow is detected based on your configured parameters, you can choose to bypass or throttle the flow. When
a flow is bypassed, the traffic is allowed to pass without Snort inspection. Throttling indicates that the flow throughput
is reduced. The reduction on flow rate is done in 10 percent increments until the CPU utilization reduces to below the configured
threshold. Bypassing or throttling happens after identifying the elephant flow and meeting the additional CPU and time window
parameters. Prior to identification of the elephant flow, your intrusion policy processes the flow, assuming that you have
configured this in an Allow rule. This means that elephant flows are not allowed to pass through the system completely uninspected
because most of the attacks are detected very early in a connection.
To understand how flows are handled, see the following flow diagram.
No action is taken unless the system detects a Snort duress condition (performance issue). The system does not throttle or
bypass a flow just because it is large. Also, the actions of throttle and bypass are mutually exclusive. This means that you
can either bypass or throttle a flow, but not both.
If you do not want to bypass all the elephant flows causing duress, you can limit the bypass option to specific applications
only. You can prioritize connectivity for the applications that you trust, without throttling performance. You can configure
the applications that must be bypassed, but the remaining flows (causing duress) are throttled. This ensures that the other
nontrusted application flows still receive full Snort inspection although their bandwidth is reduced.
Sample Business Scenario
In a data center, several activities are happening, such as replication of data between clusters, virtual machine integration,
and database backup. Users in an organization could be watching videos on an OTT or downloading them. Bandwidth utilization
for such activities might result in elephant flows, slow down the network, and impact the performance of important tasks.
As a network administrator (and depending on your specific requirements), you want visibility into such large flows that are
causing bandwidth issues and remediate them.
As an example, let us see how you can configure elephant flow parameters to bypass Snort inspection for WebEx traffic (which
your organization uses for real-time video conferencing) and throttle the remaining applications or connections, including
videos, movies, and so on.
Prerequisites
Ensure that you are running management center 7.2.0 or later and that the managed threat defense is also 7.2.0 or later.
Only enabling elephant flow detection does not generate additional connection events. Elephant flow detection adds the Elephant
Flow notation to matching connections that are already being logged to the management center. To log these events, you must enable connection logging in your access control policy. You can do that for specific rules or add a Monitor rule that logs all connections, including elephant flows.
Configure Elephant Flow Parameters
Procedure
Step 1
Choose Policies > Access Control.
Step 2
Click Edit () next to the access control policy that you want to edit.
Step 3
Choose Advanced Settings from the More drop-down arrow at the end of the packet flow line.
Step 4
Click Edit () next to Elephant Flow Settings.
Step 5
The Elephant Flow Detection toggle button is enabled by default. The default setting enables detection only and no default action is configured. The
detection settings allow you to adjust the flow bytes and duration so that you can identify the elephant flows in your system.
As a test setting, configure the flow bytes and duration parameters, as shown in the following figure.
Step 6
Enable the Elephant Flow Remediation toggle button. When an elephant flow is detected, you can choose to bypass or throttle the flow. Bypassing a flow means that
the traffic is allowed to pass without Snort inspection. Throttling indicates that the flow throughput is reduced. This rate
reduction is done in 10 percent increments until the CPU utilization reduces to lesser than the configured threshold.
As a test setting, configure the elephant flow remediation parameters as shown in the following figure.
Step 7
Enable the Bypass the flow toggle button and click the Select Applications/Filters radio button.
Step 8
Under Application Filters, search for and select the WebEx application, add it to the rule, and click Save. This means that WebEx connections are trusted and prioritized and will skip Snort inspection if these WebEx connections
are detected as elephant flows, based on the configured parameters.
Step 9
Enable the Throttle toggle button to throttle the remaining flows (causing duress). This ensures that all the other flows are slowed down in
10 percent increments until the Snort duress condition is met.
After configuring your elephant flow settings, monitor your connection events to see if any flows are detected, bypassed,
or throttled. You can see this information in the Reason field of your connection events. The three types for elephant flow connections are:
Elephant Flow
Elephant Flow Throttled
Elephant Flow Trusted
Procedure
Step 1
Choose Analysis > Connections > Events. You can also view the events from the Unified Events viewer.
Step 2
In the Connection Events page, from the Predefined Search drop-down list, choose Elephant Flows to display elephant flow events.
Tip
To see Elephant Flow Trusted or Elephant Flow Throttled event types, click the Edit Search link on the top-left corner of the page and in the Reason field, choose Elephant Flows in the left panel. Enter Elephant Flow Trusted or Elephant Flow Throttled, depending on what you want to search.
Step 3
View the elephant flow that was detected mid-flow and the Reason field shows Elephant Flow. At the end of the flow, it was bypassed and the Reason field shows Elephant Flow Trusted.
Configure Elephant Flow Remediation Exemption
You can configure L4 access control list (ACL) rules for flows that must be exempted from remediation. If a flow is detected
as an elephant flow and it matches the rules that are defined, that flow is exempted from the remediation action.
Before you begin
You must be running management center 7.4.0 or later and the managed threat defense must also be 7.4.0 or later.
Procedure
Step 1
Choose Policies > Access Control.
Step 2
Click Edit () next to the access control policy you want to edit.
Step 3
Choose Advanced Settings from the More drop-down arrow at the end of the packet flow line.
Click the Add Rule button next to Remediation Exemption Rules.
Step 7
From the list of Available Networks, choose the configured host to exempt from elephant flow remediation. For the purposes of this example, we have created a
host called “Host1_Exception.”
Step 8
Click Add to Source or Add to Destination (as required) to add this host to the source or destination.
Step 9
Click the Ports tab.
Step 10
For the source port, choose Protocol as TCP and enter 80 as the destination port, and click Add.