09-14-2009 05:17 PM - edited 03-11-2019 09:15 AM
Gurus,
Concept of object grouping is used in firewall to have the group of host/services involved in logically single rules instead of varied lines.
Now it is seen that ACE uses only single line no. to define each object grouped rule until there is a change.
But even this way, the actual no. of lines would still be large enough degtermined by the no. of hosts or services in the object group.
Does this have any bearing on the extra lines firewall will have to parse thru.or is it simply for easier admin control.
Thanks.
09-14-2009 06:51 PM
Absolutely the firewall needs to parse through all of these lines. If there are huge number of ACE then, as soon as you load that config memory consumption will be high and in case of the FWSM there are a few known issues relating to CPU spikes due to acl compilation. It is always a good idea to have your highest hit ACE in the top of the list.
09-14-2009 10:03 PM
So, grouping is more as a tool for easier admin control rather than reducing the line count of ACE on the firewall.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide