After thinking about this a little more, I wanted to address the last portion with a little more detail to make sure I was completely accurate to anyone who may read this later on. I don't think this is necessary for the question originally asked.

ACL are indeed order dependent. PIX CLI doesn't allow us to insert or modify an ACE (access-list entry) in the middle of an ACL. To preserve the order of ACEs, when inserting a rule, PDM first deletes all the rules (ACEs) behind the insert point, adds the new rule, and re-applies deleted rules back. When you do it at the top of the list, lots of CLI commands may get generated. Same thing when PDM updates a rule. Assume you have 1000 ACEs in an ACL, add a single rule at the top will cause PDM to generate 2001 CLI commands. Currently PDM opens one tcp connection per CLI command. It takes awhile for all of these commands to be pushed to PIX. And it will have a impact on traffic currently passing through PIX.

For clarity sake.

Scott

Interesting stuff, now what about object-groups if you have an ACL referring to an Objectgroup and you remove a host from that objectgroup does it just insert or remove the object or redo the whole thing.

Will PDM ever be updated to use the line-element editing capability introduced in 6.3.x VS redoing the whole thing for every little change?

Well, for your example, PDM will just remove the particular ACE that corresponds to the object in the object group that you removed. But in most cases where you would be modifying an object group rather than removing a particular object from it, it has to redo the whole thing. You have to remember that object groups are nothing more that an easier way to represent a group of whatever for ease of configurability. In the PIX, each ACE is still listed one by one so if one ACE needs to be removed, the line and everything below it is removed and then re-added as stated in the earlier post.

Not sure about PDM being updated the line editing capability in later PIX OS. I would imagine so but I cannot be sure until the next version comes out.

Does this help?

Scott

When I have a large rulebase and I am editing rules at the top, it may last seconds until the PDM has cleared and rewritten all the rules below.

Does this have impact only to new connections ?

What about existing statefull tcp-connections at this time ?

Yes, the imapact is only to new connections. After a connection is established through the PIX initially, the ACL is not applied to subsequent packets on that same connection. This gives the PIX an added edge in performance.

Scott

Thanks, its good to get a better understanding of what goes on in the background.

Scott,

If i may, I have a point that I wish for you to qualify in your statement. To quote a passage from the above "PIX CLI doesn't allow us to insert or modify an ACE (access-list entry) in the middle of an ACL" If you are running PIX 6.3 it allows for line editing I believe, whereby you can insert or modify an ACL at any line number that you so choose.

For clarity,

Steve

Steve,

No problem and you are correct. However, PDM does not have the ability (yet) to utilize the line numbering feature when modifying ACL's. It has been a few days, but I think my answers where in relation to how PDM modifies ACL's on the PIX. Does this sound OK?

Scott

No worries Scott, I thought that Cisco had thrown a red herring in there for a minute, very interesting point regarding the PDM though. Not quite as efficient as the CLI it would seem.