firewall object groupings

Unanswered Question
Sep 14th, 2009
User Badges:


Concept of object grouping is used in firewall to have the group of host/services involved in logically single rules instead of varied lines.

Now it is seen that ACE uses only single line no. to define each object grouped rule until there is a change.

But even this way, the actual no. of lines would still be large enough degtermined by the no. of hosts or services in the object group.

Does this have any bearing on the extra lines firewall will have to parse thru.or is it simply for easier admin control.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Mon, 09/14/2009 - 18:51
User Badges:
  • Cisco Employee,

Absolutely the firewall needs to parse through all of these lines. If there are huge number of ACE then, as soon as you load that config memory consumption will be high and in case of the FWSM there are a few known issues relating to CPU spikes due to acl compilation. It is always a good idea to have your highest hit ACE in the top of the list.

suthomas1 Mon, 09/14/2009 - 22:03
User Badges:

So, grouping is more as a tool for easier admin control rather than reducing the line count of ACE on the firewall.



This Discussion