firewall Module on 6513, too many rules??

rico_hao40 · ‎04-19-2006

I need add new rules on my FWSM, i use object-group. Then I use "show access-list" and notice there are lots of rules under each access-list. as below

#access-list 111; 1586 elements

#access-list 222; 728 elements

#access-list 333; 1092 elements

is there too many rules and might reduce the performance? !!!!!!!!!!!!!!

Please explain to me what meaning of "deny-flow-max 1024" and "alert-interval 300"

pixfirewall(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

Thanks

wong34539 · ‎04-25-2006

deny-flow-max n

Specifies the maximum number of concurrent deny flows that can be created. (Syslog message 106101 is generated when the firewall has reached the maximum number, n, of ACL deny flows.)

For a firewall with greater than 64 MB Flash memory, the value can be from 1 to 4096, with a default value of 4096. For a firewall with greater than 16 MB Flash memory, the value can be from 1 to 1024, with a default value of 1024. For a firewall with less than or equal to 16 MB Flash memory, the value can be from 1 to 256, with a default value of 256.

alert-interval secs

Specifies the time interval, from 1 to 3600 seconds, for generating syslog message 106101, which alerts you that the firewall has reached a deny flow maximum. In other words, when the deny flow maximum is reached, another 106101 message is generated if has been at least secs seconds since the last 106101 message.

If this option is not specified, the default interval is 300 seconds.