Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5108
Views
0
Helpful
4
Replies

Maximum rules limit on 5500-X platforms

ymadheka
Level 4
Level 4

‎11-29-2016 01:24 AM - edited ‎03-12-2019 01:36 AM

Hi Team,

 

We are in the process of migration from checkpoint to ASA with firepower services wherein the customer has more than one lakh rules that needs to be migrated to Cisco platform. Is there any documentation for referring the maximum rules count supported on our platform?

 

Thanks & Regards,

Yogesh Madhekar

Labels:
0 Helpful
4 Replies 4

Oliver Kaiser
Level 7
Level 7

‎11-29-2016 09:25 AM

The maximum number of rules depends on the platforms memory capacity. A single access-control-entry occupies about 172 bytes of memory. Depending on the platform you will choose you should reach out to Cisco to verify that your amount of ACEs will work out. In case you have a large ruleset (> 250000 ACEs using a platform like 5525-X) you shouldnt have any issues but the number of NAT/IPSec VPNs should also be considered to size correctly.

There is no official document that I am aware of that lists maximum rules for ASA.

0 Helpful

ymadheka
Level 4
Level 4
In response to Oliver Kaiser

‎11-30-2016 09:51 AM

Hi There,

Thanks for the reply.

We are having major challenges in getting the configuration migrated from checkpoint (1780 odd ACLs with 0.2 million lines of rules), After configuring the access-group command, it has prompted as insufficient memory to install the rule and memory utilization has reached to 99%.

Is there any optimizing tool avaliable for the migration to give lesser performance issue since the ASA 5545-X is now going to put in production segment very soon.

Thanks & Regards,

Yogesh Madhekar

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to ymadheka

‎11-30-2016 10:36 AM

I was able to find more information on ACL recommended maximums in a cisco live session titled "Maximizing Firewall Performance". (2015)

Based on your platform you should be able to handle 200.000 ACEs. To verify your current number of ACE please execute the following command and post the output:

ASA# show access-list | include elements

Depending on your output (count < 200k) please execute the following commands and post the output

ASA# show version
ASA# show memory
ASA# show memory detail
ASA# show memory app-cache
ASA# show resource usage
ASA# show resource usage detail
ASA# show traffic
ASA# show blocks
ASA# show cpu core
ASA# show cpu detail
Preview file
17 KB
0 Helpful

ymadheka
Level 4
Level 4
In response to Oliver Kaiser

‎11-30-2016 10:53 AM

Will arrange the same and post here once data is available.

Thanks & Regards,

Yogesh Madhekar

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card