Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1092
Views
0
Helpful
1
Replies

Object Creation in ASA

NeWGuy1109
Level 1
Level 1

‎05-04-2021 12:07 PM

I am using algosec fireflow for policy deployment in ASA firewalls.. algosec requires grouping of multiple IPs/Services into a single object..

 

for ex.. source 1.1.1.1, 2.2.2.2  destination 3.3.3.3 , 4.4.4.4 , 5.5.5.5  service : https , ssh , http

 

I normally do not club the IPs into a group name but algosec groups the source as gr-src-reqid ,destination as gr-dst-reqid and service as gr-srv-reqid.. thus creating  individual objects for src,dest and service respectively.. therefore, in each deployment request multiple objects will be created.... can this many object creation adversely affect the firewalls ? Is it a best practice to do so ?

 

any help is appreciated

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎05-04-2021 02:50 PM - edited ‎05-04-2021 02:52 PM

Hi @NeWGuy1109 

If you are going to use object groups, you can use the command "object-group-search access-control", this optimises ACLs preventing object group expansion, which reduces memory utilization with minimal additional CPU overhead.

 

Recommended in the following Cisco Live presentation.

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3020.pdf

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card