10-19-2017 05:29 AM
Hello Team,
I am working with customer who want to use 167 Conditions with OR in one Compound conditions.
Is there any max number on conditions which can be used ?
Also I am not sure if this will make performance issue.
Is there any recommended max number of conditions which could be used ?
I notice that when we saving the page it takes long time, however should the authentication take also unexpectedly long time ?
Deployment information :
3 Nodes -ISE 2.0.0.306 (VM)
CPU Core Count : 4 @ 2.6 GHz
It would be wonderful if somebody has any kind of experiencing with this to share.
Thanks.
Solved! Go to Solution.
10-20-2017 08:11 AM
We test with 8 conditions per AuthC or AuthZ rule. Certainly a massive increase in conditions can be impactful to performance but we have not tested with this number to provide any indicator of impact.
As suggested above, 169 is very likely not reasonable and candidly not very manageable. It also makes it very difficult to troubleshoot. If this is for one exceptional use case, then likely they can assign these exceptions to their own ID group or store attribute and address with singular or few conditions.
Also note that conditions are matched left to right, so best to place the simple and local conditions first.
Craig
10-19-2017 06:06 AM
I can't speak to the performance, but I am curious what the 169 OR conditions are. Maybe there is a different way to do what the customer is trying to accomplish.
10-19-2017 07:11 AM
I agree, this seems like a lot of conditions to go through. Why is this needed.
If you still needed to do this. Generally for best design you should place an authorization rule like this lower in your list. If you require every endpoint to go through all of these checks then its going to consume a lot of time and lower your time to correct authorization.
Design your authz rules to put rules that are going to be used by lots of endpoints higher in the order.
Remember we use a top down approach.
10-20-2017 08:11 AM
We test with 8 conditions per AuthC or AuthZ rule. Certainly a massive increase in conditions can be impactful to performance but we have not tested with this number to provide any indicator of impact.
As suggested above, 169 is very likely not reasonable and candidly not very manageable. It also makes it very difficult to troubleshoot. If this is for one exceptional use case, then likely they can assign these exceptions to their own ID group or store attribute and address with singular or few conditions.
Also note that conditions are matched left to right, so best to place the simple and local conditions first.
Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide