Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1842
Views
5
Helpful
1
Replies

Cisco Firepower 9300 - Maximum supported policies/Rules

nirmal.joshi
Level 1
Level 1

‎09-01-2019 01:32 AM - edited ‎02-21-2020 09:26 AM

Hi All,

 

I am looking for information around maximum supported rules/Policies on a Cisco 9300 Firepower appliance (with SM 40).

Couldn't find this information in the documents. please help point me to link where this information is available.

 

#Firepower # FTD # Firepower 9300

 

Thanks

Nirmal Joshi

 

1 person had this problem
0 Helpful
1 Reply 1

NiltonMaia
Cisco Employee
Cisco Employee

‎01-24-2023 10:14 AM - edited ‎01-24-2023 10:24 AM

As I understand this will delimited by the number of ACEs per appliance:

ASA 5506-X 12.500
ASA 5508-X 50.000
ASA 5516-X 125.000
ASA 5525-X 150.000
ASA 5545-X 250.000
ASA 5555-X 250.000
ASA 5585-X (SSP-10) 500.000
ASA 5585-X (SSP-20) 750.000
ASA 5585-X (SSP-40) 1.000.000
ASA 5585-X (SSP-60) 2.000.000
Firepower 1010 15.000
Firepower 1120 125.000
Firepower 1140 150.000
Firepower 1150 250.000
Firepower 2110 50.000
Firepower 2120 75.000
Firepower 2130 300.000
Firepower 2140 375.000
Firepower 4110 2.250.000
Firepower 4115 2.500.000
Firepower 4120 2.250.000
Firepower 4125 2.750.000
Firepower 4140 2.250.000
Firepower 4145 3.000.000
Firepower 4150 3.000.000
Firepower 9300 SM-24 2.250.000
Firepower 9300 SM-36 2.250.000
Firepower 9300 SM-40 6.000.000
Firepower 9300 SM-44 3.000.000
Firepower 9300 SM-48 6.000.000
Firepower 9300 SM-56 6.000.000

For each source/destination ip address and each source/destination ports within a rule the number of access-control entries are being multiplied. Example:

Source IP Source Port Destination IP Destination Port Protocol
198.17.1.1 2000 198.11.1.1 80 TCP

By multiplying the number of entries in each fields we get the number of ACEs that will be generated:
1 (Source IP) x 1 (Source Port) x 1 (Destination IP) x 1 (Destination Port) x 1 (Protocol) = 1

A more realistic rule that can be found on a lot of firewalls – permitting Active Directory access from different network segments to a variety of domain controllers

Source IP Source Port Destination IP Destination Port Protocol
198.17.1.0/24
198.17.2.0/24
198.17.3.0/24
198.17.4.0/24
198.17.5.0/24
198.17.6.0/24
198.17.7.0/24		   198.19.11.1
198.19.11.2
198.19.11.3
198.19.11.4
198.19.11.5
198.19.11.6
198.19.11.7		 53
88
135
389
636
3268
3269		 TCP

if we multiply all our entries and end up with quite a lot of ACEs
7 (Source IP) x 7 (Destination IP) x 7 (Destination Port) x 1 (Protocol) = 343

 

 Just SSH to your FTD device and execute the following handy commandto know how many ACEs your configuration currently consists of:

show access-list | include elements

If still have problem with the limitation give it a check on Object-group Search(OGS)

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card