Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
245
Views
0
Helpful
2
Replies

Memory utilisation due to ACE count

KayaaKashyap
Level 1
Level 1

‎05-07-2025 10:51 PM

Hi all,

How OGS works in Cisco FTD?

We were facing memory utilisation issue on FTD 3120 due to high ACE count.

Cisco suggested to enable OGS.

Earlier ACE count was :7905432

After enabling OGS ACE count: 24905

 

I want to know how this OGS works and how it optimises the ACE and reduces the count?

0 Helpful
2 Replies 2

palavot975
Level 1
Level 1

‎05-07-2025 11:01 PM

Hello, OGS (Optimized Global Search) in Cisco Firepower Threat Defense (FTD) is a feature designed to optimize the way Access Control Entries (ACEs) are managed and stored in memory. In traditional operation, FTD generates a unique ACE for every individual rule and traffic flow combination, which can lead to an extremely high ACE count—especially in large rule sets or in environments with many users or objects, consuming significant memory and processing resources. OGS works by identifying common patterns across rules and consolidating them using a more efficient internal representation. It groups similar ACEs together and eliminates redundancy, allowing the system to use a compressed   HumanToCat App structure instead of storing millions of discrete entries. This significantly reduces the ACE count and improves memory utilization and performance. In your case, enabling OGS reduced the ACE count from over 7.9 million to just under 25,000, demonstrating its effectiveness in optimizing rule processing and memory usage.

0 Helpful

Marius Gunnerud
VIP
VIP

‎05-08-2025 12:48 AM

By default Cisco firewalls, FTD and ASA, need to expand the access rules if using group objects for it to iterate through and find a match.  That means that if you have 10 destination IPs or subnets in one group and 10 destination ports in a port group that rule would be expanded to 100 entries.  OGS removes the need for having to expand the access rules and allows the firewall to iterate through group objects.  So now the firewall no longer needs to expand the access rules and thereby save on memory utilization as the access rule list ends up being shorter.

Even though this has a positive effect on memory, the down side is that the process is now kicked to the CPU.  So if you are already running a firewall with high CPU this will have a negative effect on performance.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card