cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
818
Views
0
Helpful
1
Replies

FWSM ACL reached limit

danielnunes
Level 1
Level 1

Folks, please I have a FWSM with 4 contexts but I couldn't migrate my checkpoint Firewall to Cisco 4.0.4 FWSM because FWSM reached limit up to 100000 lines of the ACL.

Anybody had this problem?

I wondering about the use of the ASA in place of the FWSM.

1 Accepted Solution

Accepted Solutions

Kureli Sankar
Cisco Employee
Cisco Employee

1. look at sh access-list and see all the 0 hit ones and if they are not

required remove them.

2. clean up object groups to reduce the number of ACEs.

3. re-partition the acl space and reduce the number of partitions. This will

increase the number ACE that you can have per partition. This will not

double the space because we need to allocate a backup area which is as big as the biggest partition in 4.0 or like any other partition in 3.x and earlier so, it will certainly increase but, not exactly double.

4.x command reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/qr.html#wp1656867

hostname(config)# resource acl-partition 4 -------------(I am not sure how

many contexts you are planning to add in the future)

This configuration command leads to repartitioning of ACL memory. It will

not take effect unless you save the configuration to startup configuration

and reboot.

Changing the number of partitions requires you to reload the FWSM. If you

are using failover, you must also reload the other failover unit because the

memory partitions must match on both units.

Traffic loss can occur because both units are down at the same time.

You are right, in the ASA there is no limit. Memory is the limit there.

FWSM 4.x rule limit link:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wp1067359

View solution in original post

1 Reply 1

Kureli Sankar
Cisco Employee
Cisco Employee

1. look at sh access-list and see all the 0 hit ones and if they are not

required remove them.

2. clean up object groups to reduce the number of ACEs.

3. re-partition the acl space and reduce the number of partitions. This will

increase the number ACE that you can have per partition. This will not

double the space because we need to allocate a backup area which is as big as the biggest partition in 4.0 or like any other partition in 3.x and earlier so, it will certainly increase but, not exactly double.

4.x command reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/qr.html#wp1656867

hostname(config)# resource acl-partition 4 -------------(I am not sure how

many contexts you are planning to add in the future)

This configuration command leads to repartitioning of ACL memory. It will

not take effect unless you save the configuration to startup configuration

and reboot.

Changing the number of partitions requires you to reload the FWSM. If you

are using failover, you must also reload the other failover unit because the

memory partitions must match on both units.

Traffic loss can occur because both units are down at the same time.

You are right, in the ASA there is no limit. Memory is the limit there.

FWSM 4.x rule limit link:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wp1067359

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: