Cisco FTD Container Instance Resize
Overview
I have recently been working with a customer who has been experiencing high CPU utilization on one of their FTD container instances.
They currently have three instances running on 4110 chassis, two of the instances have been allocated a resource profile of default small, and the third instance which is for their Internet was allocated a medium resource profile.
The customer has a 4-gigabit internet pipe the 4110 chassis is nearly over-subscribed due to the big increase of traffic since the Coronavirus started. We did attempt to start using IPS functionality on some of their external facing servers but unfortunately, this tipped the CPU over the edge.
We recently decided to remove the two small instances and move them to physical hardware and reassign all the CPU capacity to the Internet-facing firewall. Below are the steps that I took when resizing the FTD containers.
Plan
As the customer has two separate datacentres with four 4110 chassis, two per datacentre with all instances in HA Active-Standby pairs.
The easiest way to carry out the container resize is to carry out a HA failover from the FMC, resize the now standby unit, and then failback and complete the same process.
Create Resource Profile
To create the new resource profile you will need to login to the FXOS chassis and go to Platform Settings. Once that has loaded there is a side menu and click Resource Profiles.
Click the add button on the top right and you will be presented with the following box. In our case, we wanted to specify 22 cores.
Once the above is complete we need to disable the primary container instance and then assign the new resource profile. To do this go back into Logical Devices and disable the instance by using the blue tick box on the right-hand side, disabling takes a few minutes. Once the unit is disabled you need to assign the new resource profile by using the pencil icon on the right-hand side.
In the below image select “click here to configure”
It will then open another box which is shown below where you can select the new resource profile from the drop-down menu.
Go into the FMC and keep refreshing the High Availability sync until the device is back online and in sync. The FMC will flag up warnings saying that the resource profiles are different on the units. This will disappear once you have completed the same process on the secondary unit.