Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Security Analytics and Logging Ordering Guide

White Paper

Available Languages

Download Options

  • PDF
    (1.0 MB)
    View with Adobe Reader on a variety of devices
Updated:June 11, 2021

Available Languages

Download Options

  • PDF
    (1.0 MB)
    View with Adobe Reader on a variety of devices
Updated:June 11, 2021
 

 

1. Introduction

1.1 Purpose, Audience, and Scope

Purpose: This document describes the offer structure, required components, and the procedure to order Cisco® Security Analytics and Logging (SAL). The SAL offer has two distinct delivery mechanisms, as shown below:

     A cloud-delivered, Software-as-a-Service (SaaS) offering with a cloud-native data store, referred to as SAL (SaaS)

     An on-premises appliance-based software application with an on-premises data store, referred to as SAL (On prem)

Audience: Cisco sales teams, Cisco Security Specialized Partners, and Cisco customers.

Scope: This ordering guide covers the following:

     Cisco Security Analytics and Logging Overview

     Cisco Security Analytics and Logging Licensing Structure

     Ordering Security Analytics and Logging via Cisco Commerce Workspace (CCW)

     Security Analytics and Logging Software Support

1.2 Cisco Security Analytics and Logging Overview

Cisco Security Analytics and Logging provides scalable central log management for streamlining information technology operations, forensics, and threat investigation, as well as detecting advanced threats by identifying suspicious patterns of traffic within customers’ network environments, using metadata generated from traffic traversing the network. The supported sources of traffic include event logs from Cisco’s Firewalls, which can be combined with flow logs from internal network elements and public cloud infrastructure for enhanced end-to-end visibility. This functionality therefore provides aggregated analysis by correlating logs generated at the perimeter, private network, and public cloud infrastructures. Other contextual information supplements these suspicious patterns to improve the overall threat posture, and establish specific threat levels associated with observed activities and/or traffic flows. This process is described as “behavioral threat detections.”

Behavioral threat detection algorithms use traffic metadata, rather than actual packet contents, to alert users for indicators of compromise. SAL detects anomalous behaviors symptomatic of threats that have bypassed perimeter and signature-based defenses. Typical examples include, but are not restricted to, unknown (zero-day) malware, insider threats resulting from stolen credentials or bad actors, or any traffic patterns that do not conform to the normal behavior of entities. In this manner, threats that have breached perimeter defenses using an encrypted payload can also be exposed.

SAL (SaaS) is a mature full-feature offering providing cloud-based and cloud-delivered log management for Next-Generation Firewalls (NGFWs) running Cisco Firepower® Threat Defense (FTD) software, as well as devices running the Adaptive Security Appliance (ASA) software, independent of their management platform. SAL (SaaS) enables event viewing via APIs in Cisco Defense Orchestrator (CDO) for firewall event logs, including logs emitted by devices not managed by CDO. Refer to the Getting Started Guide for more details. Higher-level SAL (SaaS) licenses enable advanced security analytics for detecting suspicious or malicious traffic patterns from firewall logs, with the option to aggregate them with internal network and/or public cloud logs. Security alerts are visible in Cisco Secure Cloud Analytics (SCA), enabled through a cross-launch from CDO using Cisco’s Secure Sign-On (SSO). This advanced threat detection capability is only available in SAL (SaaS) today through the cloud data store. Users of SAL (SaaS) get the right to use SCA and CDO for logging- and analytics-related outcomes, respectively, without the need for separate licenses for these two cloud products.

SAL (On prem) provides scalable data storage in the customer’s own premises, and currently supports FTD event logs generated by Cisco’s NGFW and NGIPS devices. The solution is hosted on Cisco Secure Network Analytics (SNA) appliances, both hardware or virtual editions. The appliances hosting SAL (Op) integrate with FMC via APIs in a manner in which FMC logging and analysis capabilities can leverage this external data store to greatly extend and exponentially enhance FMC’s own scale of operations. A configuration wizard in the FMC greatly simplifies the process to log to SAL (Op) or SAL (SaaS). Support for FTD-Data Plane and ASA syslog is scheduled for the fall of 2021, subsequent to which aggregation will also be possible in SAL (On prem).

1.2.1 Required components and setup to run Cisco Security Analytics and Logging (SaaS):

     Secure Event Connector: To capture Firewall Event Logs from on-premises or cloud deployments, a Secure Event Connector (SEC) is needed. The SEC is a containerized application that can be installed on an on-premises or cloud Secure Device Connector (SDC), or even be set up to run in standalone mode. It receives events from Firepower Threat Defense (FTD) devices and Adaptive Security Appliance (ASA) devices and forwards them to Cisco SAL in the cloud. Installation instructions can be found here. While SEC remains the most scalable route to send logs to SAL (SaaS), firewall devices running Cisco Firepower version 6.5 or later can send event logs directly to SAL Cloud, without the need for an SEC. This capability has been found to reliably support sustained peak rates of up to 8,500 events per second (eps) per firewall device. The Cisco Firewall Management Center (FMC) version 7.0 supports this direct-to-cloud route of devices under its management through its “Integrations” settings.

     Secure Cloud Analytics On-Premises Sensor: To capture Private Network Monitoring (PNM) telemetry from on-premises endpoints, a Secure Cloud Analytics virtual sensor is needed to collect network flow data from network elements and send them to Secure Cloud Analytics. The Virtual Appliance (VA) is available as an ISO file, which contains the necessary SCA packages as part of an Ubuntu Linux image. A separate email is sent to the customer after provisioning with instructions on how to get the sensor software. There is no additional charge for this sensor agent. This Secure Cloud Analytics reference guide covers additional options for installing and configuring the VA here.

Note: The SCA on-premises sensor is needed only for the highest license of the tier, Total Network Analytics and Detection (TA).

1.2.2 Required components and setup to run Cisco Security Analytics and Logging (On Premises):

     Secure Network Analytics (SNA) Appliances: The SAL (On prem) can hosted on any one of two deployment architectures:

    Single-Node: A dedicated and repurposed SNA Manager SMC-2210-K9 that must not have any Flow Collectors associated with it, or the SAL application installation will fail. The hardware appliance can be purchased as detailed in the Stealthwatch Ordering Guide. Alternatively, SAL can run on a Virtual SNA Manager, accessible as a free download by navigating to Cisco Software Central and following the path: Security > Network Visibility and Segmentation > Stealthwatch > Stealthwatch Management Console Virtual Appliance > Stealthwatch System Software – 7.3.1 or later. The recommended specifications of the virtual machine to meet scale specifications of SAL (On prem) are found here.

    Multinode: An SNA Manager SMC-2210-K9, SNA Flow Collector FC-4210-K9, and SNA Data Store DS-6200-K9, which can be purchased as detailed in the Stealthwatch Ordering Guide. Alternatively, SAL can run on virtual appliances, accessible as a free download by navigating to Cisco Software Central and following the path: Security > Network Visibility and Segmentation > Stealthwatch > Stealthwatch XXX Virtual Appliance > Stealthwatch System Software – 7.3.2 or later. The recommended specifications of the virtual machine hosting the appliances to meet scale specifications can be found in the documentation here.

     Security Analytics and Logging (On prem) Application: An SAL (On prem) application needs to be installed on the SNA management console and is available as a free download from Cisco Software Central by following the path: Security > Network Visibility and Segmentation > Stealthwatch > Stealthwatch Management Console Virtual Appliance > App Security Analytics and Logging On Prem.

1.2.3 Security Analytics and Logging Licenses:

Separate Cisco Security Analytics and Logging Licenses are available for both SAL (SaaS) and SAL (On prem). The licenses are usage based, metered on the daily uncompressed volume of data (GB/day) made available to SAL for storage and analysis, either in the cloud or on-premises. SAL (SaaS) licenses are provisioned to a CDO and SCA tenant for which logging and analytics are needed, while SAL (On prem) licenses are tracked against entitlement in the customer’s Cisco Smart Account. SAL (SaaS) licenses provide the right to use CDO for log viewing and SCA for log analysis without the need to subscribe to these products separately, while SAL (On prem) licenses provide the right to use SNA without the need for any other software licenses. The SAL licenses are themselves available in three classes or tiers, and follow a nested structure detailed in Section 2.

1.3 Estimating Daily Volume (GB/day) Required

A daily volume estimator has been designed to help customers estimate the daily volume (GB/day) required for their Firewall logging needs. This tool estimates logging data volume for licensing both SAL (SaaS) and SAL (On prem), as well as bandwidth throughput requirements based on most common traffic mixes and network conditions for an average deployment. The tool takes events per second (eps), firewall models, throughput, or connections rate as an input, and outputs license volume. Actual logging volumes needed may vary materially from the tool’s output, based upon actual traffic composition, protocols used, and other deployment factors. Note: The Firewall logging estimator is based on uncompressed logging volume in Gigabytes per day (GB/day) made available to SAL for storage and analysis. Since it is possible that the volume recommended by the estimator tool is materially different from actual volume owing to reasons stated above, the best way to estimate logging volume to be licensed is using the no-commitment 60-day free trial for SAL (SaaS), or run the 90-day evaluation for SAL (On prem).

2. Security Analytics and Logging Licensing Structure (a la Carte) in CCW

Example of a Cisco Security Analytics and Logging a la carte PID (Product Identifier) in Subscription Billing Platform on CCW

Figure 1.               

Example of a Cisco Security Analytics and Logging a la carte PID (Product Identifier) in Subscription Billing Platform on CCW

2.1 Security Analytics and Logging Licenses

The Cisco Security Analytics and Logging licenses are available in three tiers and follow a nested model in which a specific license contains all features of all lower-level licenses. Each license quantity entitles the user to send a volume of 1 GB/day for the term of the subscription, which could be 1-, 3-, or 5-year terms. SAL (SaaS) licenses come with 90 days of rolling cloud retention by default. For example, 10 GB/day volume comes with 900 GB of 90-day rolling storage, which means that on the 91st day, the 1st days logs are replaced by the 91st day’s logs, and so on for the full term of the subscription. Log retention period can optionally be extended to 1, 2, or 3 years for an additional charge. Data received above the daily volume does not result in data being throttled, but instead may produce an overage bill if the daily average is exceeded in aggregate over the period of a full calendar month. SAL (On prem) currently only offers the lowest tier license of Logging and Troubleshooting, with retention being a function of logging rate and storage allocated.

2.1.1 License Logging and Troubleshooting

The Logging and Troubleshooting License provides log storage and enables drill-down using advanced search and filter capabilities in an event viewer, and is available for both SAL (SaaS) and SAL (On prem) offerings. Cloud storage in SAL (SaaS) entitles the user to 90 days of rolling retention based on ingest rate, whereas on-premises log retention is a function of logging rate and storage space available on the appliances. The SaaS license presents its outcomes in CDO through the “Event Logging” tab nested under the “Monitoring” menu, whereas the on-premises license supports remote query by the FMC, and provides an aggregated viewer in the SNA Manager under the Dashboard tab. This and all subsequent SAL (SaaS) licenses leverage the Secure Event Connector (SEC) covered in section 1.2.1 for sending Firewall logs to the cloud, although devices running Firepower version 6.5 or later can send events directly to the cloud without the SEC. The a la carte Product Identifier (PID) of this license is SAL-CL-LT-1GB or SAL-OP-LT-1GB for Cloud and On prem, respectively, and the Cloud overage a la carte PID is SAL-CL-LT-OVRG. The equivalent Firewall bundle PIDs are SEC-LOG-CL and SEC-LOG-OP, and the equivalent Security Choice Enterprise Agreement (Choice EA) Cloud PID is E2SF-S-SAL-ESS.

2.1.2 License Logging Analytics and Detection

Currently available only with SAL (SaaS), this license provides Secure Cloud Analytics’ best-in-class behavioral threat detections, applied on firewall logs ingested as part of the license. This license presents its outcomes through the Security Analytics tab nested under the Monitoring tab of the CDO UI, by cross launching the user into an instance of Secure Cloud Analytics, access to which is included at no extra charge with this license. Alternatively, users can log in directly to the SCA instance/tenant associated with their license. The expansion a la carte PID of this license is SAL-CL-LA-1GB, the Firewall Attach PID is SEC-ANYL-CL, and the associated a la carte Cloud overage PID is SAL-CL-LA-OVRG. The equivalent Choice EA PID license is E2SF-S-SAL-ADV.

2.1.3 License Total Network Analytics and Detection

Currently available only with SAL (SaaS) a la carte, this license applies Secure Cloud Analytics’ behavioral-based detections on both log data and Internal Network telemetry and presents its outcomes by cross-launching the user into an instance of Secure Cloud Analytics in a similar manner to the previous license. In addition, this license analyses network telemetry of up to 10 endpoints per 1 GB/day of log volume purchased. For example, a volume of 10GB/day includes a daily volume of 10GB of logs, plus 10GB/day X 10 = 100 endpoint support for Private Network Telemetry. The storage taken by the private network telemetry does not come out of the log storage purchased in GB/day volume but is priced into this license and does not contribute toward the daily volume, storage used, or overage calculation. The network telemetric data leverages the Secure Cloud Analytics Virtual Connector for sending private network telemetry to the cloud, in addition to the SEC used for Firewall log data. The expansion PID of this license is SAL-CL-TA-1GB, with volume discount built in for higher quantities, and the associated overage PID is SAL-CL-TA-OVRG. The equivalent Choice EA PID for this license is E2SF-S-SAL-PREM.

2.1.4 Overage for a la carte SAL (SaaS) License Only

The daily rate purchased for any SAL license does not throttle ingest when the limit is reached, but in the case of SAL (SaaS) only, the overage may trigger a monthly bill in arrears, spread across a subscription applied across multiple tenants. The overage measure is aggregated over the entire calendar month, to allow daily peaks to be averaged out. For example, a 10GB/day daily volume entitles the license holder up to 300GB of logs for a month of 30 days. Therefore, if 330 GB of data was sent during the month, an overage bill of 1GB/day [(330GB–300GB)/30 days] may be produced for that month. To help estimate the amount of daily volume for various configurations, an estimator tool has been provided based on average events emission rates, as well as a 60-day trial that can be used to assess requirements.

2.1.5 Extending Log Retention in SAL (SaaS)

Cloud storage does not need to be purchased separately but is entitled for 90 days on a rolling basis at the licensed daily volume at no additional cost. This means that a 10GB/day daily volume comes with 90 X 10GB/d = 900 GB total of rolling storage for logs. On the 91st day, the 1st day logs are purged, and so on for the term of the license. In addition to the 90-day default logs retention, an option has been provided to extend the log retention period to 1, 2, or 3 years. Customers who chose this option will be able to retain their logs for the desired duration for an extra charge. This extended log retention dataset is available for download to the user’s local disk. The al a carte expansion PID of this license is SAL-CL-1GB-(1/2/3)Y-EXTN, the equivalent Choice EA PID is E2SF-S-SAL(E/A/P)-EXTN-(1,2,3)Y, and the Firewall Attach bundle PID is SEC-CL-DR-(1/2/3)YR.

2.1.6 Secure Cloud Analytics Add-on Licenses (Optional)

Since the Firewall logs and Endpoint Traffic Analytics capability for SAL (SaaS) are provided by Secure Cloud Analytics, customers can optionally order additional endpoint monitoring licenses, or include public cloud monitoring licenses within the same instance of their SAL tenant in SCA. This add-on option thus provides ease of monitoring additional endpoints and/or public cloud effective mega flows of Secure Cloud Analytics within SAL tenants. Refer to Sec 2.3 of the Secure Cloud Analytics Ordering Guide for Secure Cloud Analytics license details.

3. Ordering Cisco Security Analytics and Logging

3.1 Ordering a la Carte via CCW’s Subscription Billing Platform

SAL is available for ordering a la carte through Cisco Commerce using the appropriate subscription part number.

a.     Begin by searching for the Cisco Security Analytics and Logging Product ID: SAL-SUB

b.    From the subscription configuration:

c.     Select the requested start date for the term.

d.    Select the desired term length. The default selection is 36 months; 1-, 12-, 24-, and 60-month terms are also available. For month-to-month subscriptions, a 1-month initial term must be selected.

e.    Select the desired auto-renewal term. The default selection is 12 months; 36 months, 60 months, and “Do Not Auto Renew” options are also available. Click Apply.

Select the desired auto-renewal term

f.      Next the user is presented with a choice between Cloud Data Store or On-Premises Data Store, with an option for Cloud Data Store selected by default, which indicates that logs will be stored in the cloud. This can be changed to On-Premises Data Store by clicking on the tab on the lower end of the screen. For SAL (SaaS), select Cloud Data Store.

Next the user is presented

g.    Expanding the Cloud Data Store section presents the user with the three licensing options for SAL (SaaS), and any volume selected in the quantity box next to the desired license will default to the rolling retention period of 90 days. Only one of the 3 license options needs to be selected, as the licenses are nested. The extended retention period of 1, 2, or 3 years can be selected as an add-on option, should the default 90 days of rolling storage not suffice.

Expanding the Cloud Data Store section

h.     Finally, the user may want to order Secure Cloud Analytics licenses, which will allow use of the same SCA portal for analyzing Firewall, Private Network, and/or Public Cloud Logs. That optional selection shows up underneath the Retention Period selection, and should be used if the use case requires logs from the different sources to be correlated in the same SCA portal for analysis and threat detection. Further, a zero-dollar services PID is attached, as can be seen in the summary view on the right.

i.      Choosing any of the daily volume automatically populates the billing price PIDs, as well as includes an overage PID. This functionality allows production of an overage bill at the end of each calendar month, to be used if the daily volume is exceeded in aggregate over the calendar month. Following are the expansion PIDS for the various SAL licenses:

(i)   SAL-CL-LT-1GB: License Logging and Troubleshooting for 1GB/day.

(ii)   SAL-CL-LA-1GB: License Logging Analytics and Monitoring for 1GB/day.

(iii)  SAL-CL-TA-1GB: License Total Network Analytics and Monitoring for 1GB/day.

(iv)  SAL-CL-LT-OVRG: Usage-based overage PID for License Logging and Troubleshooting, not charged at time of placing order but is used to calculate overage charges if entitlement is exceeded.

(v)  SAL-CL-LA-OVRG: Overage PID for License Logging Analytics and Detection, not charged at time of placing order but is used to calculate overage charges if entitlement is exceeded.

(vi)  SAL-CL-TA-OVRG: Overage PID for License Total Network Analytics and Monitoring, not charged at time of placing order but is used to calculate overage charges if entitlement is exceeded.

j.      On choosing the license type and quantity, the selection for logs retention is presented, with a 90-day default available for no extra charge, while the 1-, 2-, and 3-year optional add-on retention PIDs.

(i)   SAL-CL-1GB-1Y-EXTN: 1 year of logs retention (up from default of 90 days).

(ii)   SAL-CL-1GB-2Y-EXTN: 2 years of logs retention (up from default of 90 days).

(iii)  SAL-CL-1GB-3Y-EXTN: 3 years of logs retention (up from default of 90 days).

k.     The last optional step for order completion is to indicate the desired Secure Cloud Analytics Public Cloud Monitoring (PCM) or Private Network Monitoring (PNM) licenses needed. This allows provisioning of the SCA PNM or PCM tenant to be the same as the SAL tenant. The PIDs for Secure Cloud Analytics are:

(i)   ST-CL-PCM: Secure Cloud Analytics Public Cloud Monitoring License in effective mega flows.

(ii)   ST-CL-PNM: Secure Cloud Analytics Network Cloud Monitoring License in endpoints monitored. When the order configuration is complete, select the Done button at the bottom.

l.      The process of ordering SAL (On prem) is similar for the Logging and Troubleshooting license, with one significant difference: only the Logging and Troubleshooting license is available in the On-Premises Data Store. The licensing capacity is also based on GB/day, but separate data retention PIDs are not available. This is because data retention is a function of the logging rate and appliances capacity, and not fixed as with the Cloud Data Store.

The process of ordering SAL

m.   SAL-OP-LT-1GB: License Logging and Troubleshooting for 1GB/day. This is the only on-premises data store license available that allows scalable log storage and supports remote query by the FMC. A zero-dollar services PID is attached, as seen in the summary view on the right.

3.2 Discounted Bundling When Attaching with Firewall Subscriptions via CCW

SAL is available for order through Cisco Commerce while ordering firewalls as follows:

a.     Begin by navigating to the firewall model to be ordered (FPR1150-NGFW-K9, for example).

b.    Make your software choice under the “Subscriptions” category at the top (wherever present) and navigate to the “Extended Logging and Analytics” category below.

c.     You are presented with two options to the right: “On-Premises Data Store” or “Cloud Data Store.” Only one option can be selected per firewall being ordered, with either the same or different subscription term as the firewall subscription.

d.    The “Cloud Data Store” option allows selection of either the Logging License, SEC-LOG-CL, or the “Logging Analytics License,” SEC-ANYL-CL. Only one option needs be chosen, as the Logging License is nested under Logging Analytics.

e.    Choosing any one of the two options will attach a default logging volume in GB/day for that firewall model, based on expected daily volume per the Estimator Tool. Logging rate comes with a default retention of 90 days rolling storage.

f.      The last three optional licenses are Data Retention extensions, which extend log retention to 1, 2, or 3 years in the cloud.

The last three optional licenses are Data Retention extensions

g.    If SAL (Op) is desired, the “On-Premises Data Store” tab allows choosing the base Logging and Troubleshooting license, SEC-LOG-OP. This license supports remote query by FMC and is hosted on SNA appliance(s), as detailed in section 1.2.2.

SEC-LOG-OP

h.     The process for bundling Extended Logging and Analytics for the Firewall FPR9K series devices is different, as the Security Modules (SM) configured as part of order determines the Logging quantity required. The Logging quantities needed are 190, 225 and 257 GBs/day for each SM-40, SM-48 and SM-56 respectively, and this quantity needs to be entered manually for the Extended Logging and Analytics licenses. The system will display a warning of the logging quantities required for each Security Module, as shown below: 

Security Module

3.3 Security Buying Programs

The offer leverages the Security Choice Enterprise Agreement buying program with the following PIDs:

Table 1.           The mapping for Choice EA PIDs to SAL (SaaS) a-la-carte PIDs

Choice EA SAL PIDs

Equivalent a la carte PIDs

Description

E2SF-S-SAL-ESS

SAL-CL-LT-1GB

Security EA 2.0 SAL, Logging and Troubleshooting (LT)

E2SF-S-SAL-ADV

SAL-CL-LA-1GB

Security EA 2.0 SAL, Logging Analytics & Detection (LA)

E2F-S-SAL-PREM

SAL-CL-TA-1GB

Security EA 2.0 SAL, Total Network Analytics and Detection (TA)

E2SF-S-SALE-EXT-1YR

E2SF-S-SALA-EXT-1YR

E2SF-S-SALP-EXT-1YR

SAL-CL-1GB-1Y-EXTN

Sec EA2.0 SAL 90 Days to 1Yr Storage Ext Pk-1GB

E2SF-S-SALE-EXT-2YR

E2SF-S-SALA-EXT-2YR

E2SF-S-SALP-EXT-2YR

SAL-CL-1GB-1Y-EXTN

Sec EA2.0 SAL 90 Days to 2Yr Storage Ext Pk-1GB

E2SF-S-SALE-EXT-3YR

E2SF-S-SALA-EXT-3YR

E2SF-S-SALP-EXT-3YR

SAL-CL-1GB-1Y-EXTN

Sec EA2.0 SAL 90 Days to 3Yr Storage Ext Pk-1GB

For the most up-to-date information regarding product inclusion and ordering processes, please visit https://www.cisco.com/c/en/us/products/security/security-analytics-logging/index.html.

4. Cisco Services

4.1 Cisco Software Support for Security Analytics and Logging

The basic support option of Cisco Software Support for Security is available for Cisco Security Analytics and Logging subscriptions in CCW. SAL (SaaS) embeds basic online foundational support for the full term of the purchased software subscription, including access to support through online tools or email. Cisco will respond to a submitted case no later than the next business day during standard business hours.

When a Cisco Security Analytics and Logging subscription is ordered, basic support is embedded as part of that subscription. It is not a separate orderable service. No additional products or fees are required for both the SaaS and on-premises subscription. For more information about Cisco Software Support for Security, refer to the service description.

Table 2.           PIDs for Basic Services–Transaction

Service PID

Description

Price

SVS-SAL-SUP-B

Basic embedded software support for SAL (SaaS) in CCW

$0

SVS-SAL-OP-SUP-B

Basic embedded software support for SAL (On prem) in CCW

$0

SVS-EA2-SAL-SUP-B

Basic software support in Choice EA

$0

5. Cisco Capital Financing

The significant benefits offered by Cisco Security Analytics and Logging make it the natural choice for network security. As with any technology investment, the question is its affordability. The answer is Cisco Capital® financing. Whether through flexible repayments to match expenditure to benefit and help mitigate cash flow issues, or an operating lease to help negate capital expenditure, we can provide the financing solution that works best for your customers.

Cisco Capital can help remove or reduce the barriers preventing organizations from obtaining the technology they need. Total solution financing programs help our customers and partners:

     Achieve business objectives

     Accelerate growth

     Acquire technology to match current strategies and future needs

     Remain competitive

Cisco Capital also helps your customers achieve financial goals such as optimizing investment dollars, serving more than 100 countries so that regardless of location, customers and partners have access to a trusted means to secure Cisco products and services. Learn more.

For more information about Cisco Capital financing, visit https://www.ciscocapital.com/ (for channel partners) and https://www.in.cisco.com/FinAdm/csc/ (for Cisco sales teams).

6. Expected Retention Period

The expected retention period for the SAL service under average deployment conditions (see note below table) is as follows:

Table 3.           Retention Matrix

Sustained Firewall Events per Second (eps)

Equivalent GB/day

On-premises

Cloud

Single node* 1TB Storage

Single node 2TB Storage

Single node 4TB Storage

Multi-node** Virtual

Multi-node HW

Single SEC

Multi-SEC

Direct-to-Cloud

Expected Retention period in days (under average deployment conditions)

5,000

562

50

100

200

300

600

Up to 3 years

Up to 3 years

Up to 3 years

 

Not recommended when individual device’s logging rate exceeds 8,500 eps

10,000

1,123

25

50

100

150

300

20,000

2,246

12.5

25

50

75

150***

50,000

5,616

NA

NA

NA

30

60

75,000

8,424

NA

NA

NA

NA

40

100,000

11,232

NA

NA

NA

NA

30

200,000

22,464

NA

NA

NA

NA

NA

NA

Note:      The on-premises log retention in days above are based on average deployment conditions, and may vary materially in different production environments.

* Single-node = Repurposed SMC 2210 (HW or Virtual)
** Multi-node = SMC 2210 + FC 4210 + DS 6200 (All appliances HW or Virtual)
*** Compare FMC native logs retention ½ day @ 20,000 peak eps

 

 

 

Learn more