Folks, please I have a FWSM with 4 contexts but I couldn't migrate my checkpoint Firewall to Cisco 4.0.4 FWSM because FWSM reached limit up to 100000 lines of the ACL.
Anybody had this problem?
I wondering about the use of the ASA in place of the FWSM.
1. look at sh access-list and see all the 0 hit ones and if they are not
required remove them.
2. clean up object groups to reduce the number of ACEs.
3. re-partition the acl space and reduce the number of partitions. This will
increase the number ACE that you can have per partition. This will not
double the space because we need to allocate a backup area which is as big as the biggest partition in 4.0 or like any other partition in 3.x and earlier so, it will certainly increase but, not exactly double.
4.x command reference:
hostname(config)# resource acl-partition 4 -------------(I am not sure how
many contexts you are planning to add in the future)
This configuration command leads to repartitioning of ACL memory. It will
not take effect unless you save the configuration to startup configuration
Changing the number of partitions requires you to reload the FWSM. If you
are using failover, you must also reload the other failover unit because the
memory partitions must match on both units.
Traffic loss can occur because both units are down at the same time.
You are right, in the ASA there is no limit. Memory is the limit there.
FWSM 4.x rule limit link: