08-24-2020 03:52 AM
Hello,
We are using FPR-9300 w/ FMC 4600, both FMC and FTD running the 6.6.0 version image.
We are getting the following error, while adding new rules:
"Rule validation failed due to insufficient resources causing deployment failure. Please consider reducing the rule set..."
In the troubleshooting details, it shows that the process stops at "FWRuleChecker validation..." with an error "Failed to parse identity rules file - 153".
We are able to add rules, after removing some unused/redundant rules but I don't think, this can go on (some rules may have to be put back when needed).
We have ~600K objects and 18K rules which I believe is way below the capacity that this platform can support.
Can someone please help with the capacity limits for this device in terms of rule/object counts or any other metrics? The datasheets talk about performance throughput and some other numbers like concurrent sessions but not the rule base size that I can map with this error.
Thanks in advance, for your help!
Regards,
Krishna
08-25-2020 11:37 PM - edited 08-26-2020 10:17 AM
Please check the number of elements resulting from the combinations of your ACL entries and the objects they reference.You can do this from the cli with:
show access-list | include elements
While there's not a hardcoded limit, the Firepower 9300 with SM-56 should be able to accommodate up to 6,000,000 elements.
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3455.pdf (pages 26-27)
08-26-2020 12:47 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide