https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640378#M87628 <HTML><HEAD></HEAD><BODY><P>How many do rules do you have total?</P></BODY></HTML> Tue, 06 Feb 2007 21:52:16 GMT tsteger1 2007-02-06T21:52:16Z https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640375#M87622 <P>Has anyone seen this issue in CSA 5.0 when generating rules?</P><P></P><P>Rules for host.domain.com have complexity 7525 which exceeds the maximum of 7500 </P> Sun, 10 Mar 2019 10:27:12 GMT https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640375#M87622 taylr 2019-03-10T10:27:12Z https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640376#M87624 <HTML><HEAD></HEAD><BODY><P>No, but how many rules do you have or how many rule changes were pending? </P><P>CSA won't generate rules in some conditions. Too short of a polling interval is one.</P><P></P><P>Perhaps there is a maximum rule change or rule limit as well.</P></BODY></HTML> Tue, 06 Feb 2007 00:59:18 GMT https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640376#M87624 tsteger1 2007-02-06T00:59:18Z https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640377#M87626 <HTML><HEAD></HEAD><BODY><P>There are 52 rules pending.</P></BODY></HTML> Tue, 06 Feb 2007 21:00:02 GMT https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640377#M87626 taylr 2007-02-06T21:00:02Z https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640378#M87628 <HTML><HEAD></HEAD><BODY><P>How many do rules do you have total?</P></BODY></HTML> Tue, 06 Feb 2007 21:52:16 GMT https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640378#M87628 tsteger1 2007-02-06T21:52:16Z https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640379#M87630 <HTML><HEAD></HEAD><BODY><P>Yes, there is a complexity limit of 7500. We hit it a few months ago. What we did to fix it was to go through all the rules and wild card where we could and combine rules where we could. There is a value for each rule module/rule/app class/network address set/etc. and each line in each of those. So for example if you have an app class with @program files\abc.exe and **\temp\abc.exe that counts as 2 complexity points. Our biggest issue is network address sets. Its an ongoing battle. </P><P></P><P>Cisco says its there so the hosts don't have too much information to process and slow the machine down. </P><P></P><P>Shelly</P></BODY></HTML> Thu, 22 Feb 2007 19:22:36 GMT https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640379#M87630 shelly.kane 2007-02-22T19:22:36Z https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640380#M87631 <HTML><HEAD></HEAD><BODY><P>Shelly, thanks for the good information. </P><P></P><P>We delete everything associated with OSs we will never use (Linux, Solaris).</P><P></P><P>After each upgrade, everything is deleted if it's not needed and associated with new items if it is.</P><P></P><P>This keeps the MC pretty lean and rule generation is much faster. We have 388 rules on a 4.0.3 MC and 690 on a 5.1. All told there are 794 items on the 4.0.3 MC and 2121 items on the 5.1 MC.</P><P></P><P>Tom </P></BODY></HTML> Thu, 22 Feb 2007 20:08:57 GMT https://community.cisco.com/t5/network-security/rules-for-host-domain-com-have-complexity-7525-which-exceeds/m-p/640380#M87631 tsteger1 2007-02-22T20:08:57Z