Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6062
Views
5
Helpful
2
Replies

Object Group search feature in FTD 2110 version 6.6.1

Go to solution
Nikhil5
Level 1
Level 1

‎04-17-2021 01:08 AM

Hello,

We have just upgraded FTD 2110 firewall to firmware version 6.6.1. Since the AC element count is 800k, FMC shows a warning message "the number of access list elements generated for the access control policy exceeds the limit for this platform", suggesting to enable "Object Group Search". I have checked Cisco's documentation but could not get proper information, could anyone of you help me?

 

1. Is it recommended to enable "object group search"?

2. Does it increase the CPU usage of the firewall? The below document says it doesn't affect CPU usage.

 

1 person had this problem
Preview file
92 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee

‎04-18-2021 10:27 PM

Hi Nikhil,

 

Kindly go through:

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/device_management_basics.html#Cisco_Task_in_List_GUI.dita_da6fee26-4eb9-420f-b40b-d623b170e910

 

"Enabling object group search reduces memory requirements for access control policies that include network objects. However, it is important to note that object group search might also decrease rule lookup performance and thus increase CPU utilization. You should balance the CPU impact against the reduced memory requirements for your specific access control policy. In most cases, enabling object group search provides a net operational improvement. "

 

Also:

https://www.linkedin.com/pulse/object-group-search-underrated-new-feature-nikolaj-pabst-nielsen/?trk=related_artice_Object%20Group%20Search%20-%20The%20underrated%20%26amp%3Bamp%3Bquot%3Bnew%26amp%3Bamp%3Bquot%3B%E2%80%8B%20feature!_article-card_titl...

 

Regards,

Chakshu

View solution in original post

2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-17-2021 05:09 AM

It is definitely recommended in a case like yours. As noted, performance will be helped and no additional CPU usage should result.

0 Helpful

Go to solution
Chakshu Piplani
Cisco Employee
Cisco Employee

‎04-18-2021 10:27 PM

Hi Nikhil,

 

Kindly go through:

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/device_management_basics.html#Cisco_Task_in_List_GUI.dita_da6fee26-4eb9-420f-b40b-d623b170e910

 

"Enabling object group search reduces memory requirements for access control policies that include network objects. However, it is important to note that object group search might also decrease rule lookup performance and thus increase CPU utilization. You should balance the CPU impact against the reduced memory requirements for your specific access control policy. In most cases, enabling object group search provides a net operational improvement. "

 

Also:

https://www.linkedin.com/pulse/object-group-search-underrated-new-feature-nikolaj-pabst-nielsen/?trk=related_artice_Object%20Group%20Search%20-%20The%20underrated%20%26amp%3Bamp%3Bquot%3Bnew%26amp%3Bamp%3Bquot%3B%E2%80%8B%20feature!_article-card_titl...

 

Regards,

Chakshu

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card