https://community.cisco.com/t5/network-security/maximum-rules-limit-on-5500-x-platforms/m-p/2969529#M144552 <P>I was able to find more information on ACL recommended maximums in a cisco live session titled "Maximizing Firewall Performance". (2015)</P> <P><IMG width="684" height="91" alt="" src="https://community.cisco.com/legacyfs/online/attachments/discussion/acl-max.png" /></P> <P>Based on your platform you should be able to handle 200.000 ACEs. To verify your current number of ACE please execute the following command and post the output:</P> <PRE class="prettyprint">ASA# show access-list | include elements</PRE> <P>Depending on your output (count &lt; 200k) please execute the following commands and&nbsp;post the output</P> <PRE class="prettyprint">ASA# show version<BR />ASA# show memory<BR />ASA# show memory detail<BR />ASA# show memory app-cache<BR />ASA# show resource usage<BR />ASA# show resource usage detail<BR />ASA# show traffic<BR />ASA# show blocks<BR />ASA# show cpu core<BR />ASA# show cpu detail</PRE> Wed, 30 Nov 2016 18:36:20 GMT Oliver Kaiser 2016-11-30T18:36:20Z https://community.cisco.com/t5/network-security/maximum-rules-limit-on-5500-x-platforms/m-p/2969526#M144547 <P>Hi Team,</P> <P>&nbsp;</P> <P>We are in the process of migration from checkpoint to ASA with firepower services wherein the customer has more than one lakh rules that needs to be migrated to Cisco platform. Is there any documentation for referring the maximum rules count supported on our platform?</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,</P> <P>Yogesh Madhekar</P> Tue, 12 Mar 2019 08:36:00 GMT https://community.cisco.com/t5/network-security/maximum-rules-limit-on-5500-x-platforms/m-p/2969526#M144547 ymadheka 2019-03-12T08:36:00Z https://community.cisco.com/t5/network-security/maximum-rules-limit-on-5500-x-platforms/m-p/2969527#M144549 <P>The maximum number of rules depends on the platforms memory capacity. A single access-control-entry occupies about&nbsp;172 bytes&nbsp;of memory. Depending on the platform you will choose you should reach out to Cisco to verify that your amount of ACEs will work out. In case you have a large ruleset (&gt; 250000 ACEs using a platform like 5525-X) you shouldnt have any issues but the number of NAT/IPSec VPNs should also be considered to size correctly.</P> <P></P> <P>There is no official document that I am aware of that lists maximum rules for ASA.</P> Tue, 29 Nov 2016 17:25:17 GMT https://community.cisco.com/t5/network-security/maximum-rules-limit-on-5500-x-platforms/m-p/2969527#M144549 Oliver Kaiser 2016-11-29T17:25:17Z https://community.cisco.com/t5/network-security/maximum-rules-limit-on-5500-x-platforms/m-p/2969528#M144550 <P></P> <P>Hi There,</P> <P></P> <P>Thanks for the reply.</P> <P>We are having major challenges in getting the configuration migrated from checkpoint (1780 odd ACLs with 0.2 million lines of rules), After configuring the access-group command, it has prompted as insufficient memory to install the rule and memory utilization has reached to 99%.</P> <P></P> <P>Is there any optimizing tool avaliable for the migration to give lesser performance issue since the ASA 5545-X is now going to put in production segment very soon.</P> <P></P> <P>Thanks &amp; Regards,</P> <P>Yogesh Madhekar</P> Wed, 30 Nov 2016 17:51:18 GMT https://community.cisco.com/t5/network-security/maximum-rules-limit-on-5500-x-platforms/m-p/2969528#M144550 ymadheka 2016-11-30T17:51:18Z https://community.cisco.com/t5/network-security/maximum-rules-limit-on-5500-x-platforms/m-p/2969529#M144552 <P>I was able to find more information on ACL recommended maximums in a cisco live session titled "Maximizing Firewall Performance". (2015)</P> <P><IMG width="684" height="91" alt="" src="https://community.cisco.com/legacyfs/online/attachments/discussion/acl-max.png" /></P> <P>Based on your platform you should be able to handle 200.000 ACEs. To verify your current number of ACE please execute the following command and post the output:</P> <PRE class="prettyprint">ASA# show access-list | include elements</PRE> <P>Depending on your output (count &lt; 200k) please execute the following commands and&nbsp;post the output</P> <PRE class="prettyprint">ASA# show version<BR />ASA# show memory<BR />ASA# show memory detail<BR />ASA# show memory app-cache<BR />ASA# show resource usage<BR />ASA# show resource usage detail<BR />ASA# show traffic<BR />ASA# show blocks<BR />ASA# show cpu core<BR />ASA# show cpu detail</PRE> Wed, 30 Nov 2016 18:36:20 GMT https://community.cisco.com/t5/network-security/maximum-rules-limit-on-5500-x-platforms/m-p/2969529#M144552 Oliver Kaiser 2016-11-30T18:36:20Z https://community.cisco.com/t5/network-security/maximum-rules-limit-on-5500-x-platforms/m-p/2969530#M144554 <P>Will arrange the same and post here once data is available.</P> <P></P> <P>Thanks &amp; Regards,</P> <P>Yogesh Madhekar</P> Wed, 30 Nov 2016 18:53:49 GMT https://community.cisco.com/t5/network-security/maximum-rules-limit-on-5500-x-platforms/m-p/2969530#M144554 ymadheka 2016-11-30T18:53:49Z