Intrusion policy for huge number of ACP rules.

Muhannad Abu Shamma · ‎05-11-2019

Dears,

I have a project to migrate an ASA to FTD but i am worried about the FTD performance due the following reason:

The Access-Control policies number in the ASA are huge around 10000 line, so when i do the migration to the FTD i will have a huge number of ACP rules, my concern about the performance when i attach the intrusion policy and the file policy to each rule coz the rules number is huge !!

So i am wondering if the FTD performance will degrade when we enable IPS and AMP policy for huge number of rules or the structure is not concerned about the number of the rules that IPS will be enabled.

I am worried because i can see the deployment time is increasing once i am configuring more rules with IPS in other environments.

Thanks in advance,

Muhannad

Muhannad Abu Shamma · ‎05-13-2019

Dears,

Following up my questions: i know that complex policies and rules can command significant resources and negatively affect performance of FTD. When you deploy configuration changes, the system evaluates all rules together and creates an expanded set of criteria that target devices use to evaluate network traffic. If these criteria exceed the resources (physical memory, processors, and so on) of a target device, you cannot deploy to that device.

I just need to know if configuring the Access-policy with inspection (IPS) Rule will considered a new policy count or not?

Regards,

Muhannad