https://community.cisco.com/t5/network-security/firewall-object-groupings/m-p/1268668#M818094 <HTML><HEAD></HEAD><BODY><P>Absolutely the firewall needs to parse through all of these lines. If there are huge number of ACE then, as soon as you load that config memory consumption will be high and in case of the FWSM there are a few known issues relating to CPU spikes due to acl compilation. It is always a good idea to have your highest hit ACE in the top of the list.</P><P></P><P></P></BODY></HTML> Tue, 15 Sep 2009 01:51:08 GMT Kureli Sankar 2009-09-15T01:51:08Z https://community.cisco.com/t5/network-security/firewall-object-groupings/m-p/1268667#M818093 <P>Gurus,</P><P></P><P>Concept of object grouping is used in firewall to have the group of host/services involved in logically single rules instead of varied lines.</P><P>Now it is seen that ACE uses only single line no. to define each object grouped rule until there is a change.</P><P>But even this way, the actual no. of lines would still be large enough degtermined by the no. of hosts or services in the object group.</P><P>Does this have any bearing on the extra lines firewall will have to parse thru.or is it simply for easier admin control.</P><P>Thanks.</P><P></P><P></P> Mon, 11 Mar 2019 16:15:24 GMT https://community.cisco.com/t5/network-security/firewall-object-groupings/m-p/1268667#M818093 suthomas1 2019-03-11T16:15:24Z https://community.cisco.com/t5/network-security/firewall-object-groupings/m-p/1268668#M818094 <HTML><HEAD></HEAD><BODY><P>Absolutely the firewall needs to parse through all of these lines. If there are huge number of ACE then, as soon as you load that config memory consumption will be high and in case of the FWSM there are a few known issues relating to CPU spikes due to acl compilation. It is always a good idea to have your highest hit ACE in the top of the list.</P><P></P><P></P></BODY></HTML> Tue, 15 Sep 2009 01:51:08 GMT https://community.cisco.com/t5/network-security/firewall-object-groupings/m-p/1268668#M818094 Kureli Sankar 2009-09-15T01:51:08Z https://community.cisco.com/t5/network-security/firewall-object-groupings/m-p/1268669#M818095 <HTML><HEAD></HEAD><BODY><P>So, grouping is more as a tool for easier admin control rather than reducing the line count of ACE on the firewall.</P><P>Thanks.</P></BODY></HTML> Tue, 15 Sep 2009 05:03:07 GMT https://community.cisco.com/t5/network-security/firewall-object-groupings/m-p/1268669#M818095 suthomas1 2009-09-15T05:03:07Z