cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

263
Views
10
Helpful
2
Replies
Highlighted
Beginner

Does the order of the ACL affect the CPU and other resources on the firepower FTD

I am curious, for all the Allow rules, does the order of the access control policy affect the platform in a large way?

 

What I mean is if there are a few hundred rules, is it important to put the most active flows at the top of the list and the rules that seldom get hit at the bottom?

 

I can see time sensitive flows like voice traffic being important to be at the top of the list.

 

Overall, does it make a big impact to manage the order of the access policy or is the difference negligible?

 

Thank you.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Engager

IMO this depends on the type of hardware you are running.  AFAIK the 4110s can support up to 1.5 million ACEs (access control entries), and each platform has different support numbers.  I would recommend looking at your specific platform data sheet for a more accurate understanding of the limitations.  For FTD traffic handling have you considered prefilter policies to fastpath certain traffic? Pre-filtering is the first thing that gets checked in relation to the access control phase.  Fastpath essentially allows you to bypass further evaluation from within the snort engine.  If you want to see more about traffic handling see here: Understanding Firepower Packet Processing (learnitwithcifelli.com).  HTH!

View solution in original post

2 REPLIES 2
Highlighted
Rising star

The CPU search match according to order of enter ACL, and hence it good for voice.

very good point.

Highlighted
VIP Engager

IMO this depends on the type of hardware you are running.  AFAIK the 4110s can support up to 1.5 million ACEs (access control entries), and each platform has different support numbers.  I would recommend looking at your specific platform data sheet for a more accurate understanding of the limitations.  For FTD traffic handling have you considered prefilter policies to fastpath certain traffic? Pre-filtering is the first thing that gets checked in relation to the access control phase.  Fastpath essentially allows you to bypass further evaluation from within the snort engine.  If you want to see more about traffic handling see here: Understanding Firepower Packet Processing (learnitwithcifelli.com).  HTH!

View solution in original post

Content for Community-Ad