Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1525
Views
6
Helpful
1
Replies

how many ACP policies can be created on a 7120 sensor

carloanez
Level 1
Level 1

‎11-02-2016 09:39 AM

Hello Cisco community,

How many ACP rules can be created on a Firesight 7120 sensor (16 GB in RAM, 3 CPUs)

This is what I found inside the current documentation,

FireSIGHT System User Guide Version 5.4.1 - Getting Started with Access Control Policies [Cisco Firepower Management Cen…

When you apply an access control policy, the system evaluates all the rules together and creates an expanded set of criteria that target devices use to evaluate network traffic. A pop-up window may warn that you have exceeded the maximum number of access control rules or intrusion policies supported by a target device. This maximum depends on a number of factors, including the physical memory and the number of processors on the device. On devices with less computing resources, note that limited memory may require that you select as few as three intrusion policies across an entire access control policy.

I want to know if there is a matrix on how many policies and its combinations can be created for this sensor model

thanks in advanced for your help,

Carlo Anez

Labels:
1 Reply 1

Veronika Klauzova
Cisco Employee
Cisco Employee

‎12-12-2016 10:49 AM

Hi Carlo,

good question, but there is no easy answer. Because until 5.4.0.6 software release we had hard-coded maximum number of the Access Control Policy rules (115 000), but this changed over the time(starting from 5.4.0.7) and it become now an unlimited number (all depends on available resources and rule definitions). As far as I know there is no matrix on how much rules you can configure per platform.

It is hard to say the limit, as there is no rule like other rule. Some of the entries in the GUI get expanded into 1 and other to hundreds of lines in backend and consume different amount of the RAM resources. From the GUI perspective you can have a few entries which does expanded into thousands of rules. If you are familiar with the ASA concepts of ACP rule expansion where the rule contains the objects with multiple hosts or services, then in firepower it is similar story.

If you haven't found yet, please look at the following documentation which covers good examples on rule expansions along with the formula how the rules are getting expanded:

Understand the Rule Expansion on FirePOWER Devices - Cisco

Best regards,

Veronika Klauzova

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card