04-17-2021 01:08 AM
Hello,
We have just upgraded FTD 2110 firewall to firmware version 6.6.1. Since the AC element count is 800k, FMC shows a warning message "the number of access list elements generated for the access control policy exceeds the limit for this platform", suggesting to enable "Object Group Search". I have checked Cisco's documentation but could not get proper information, could anyone of you help me?
1. Is it recommended to enable "object group search"?
2. Does it increase the CPU usage of the firewall? The below document says it doesn't affect CPU usage.
Solved! Go to Solution.
04-18-2021 10:27 PM
Hi Nikhil,
Kindly go through:
"Enabling object group search reduces memory requirements for access control policies that include network objects. However, it is important to note that object group search might also decrease rule lookup performance and thus increase CPU utilization. You should balance the CPU impact against the reduced memory requirements for your specific access control policy. In most cases, enabling object group search provides a net operational improvement. "
Also:
Regards,
Chakshu
04-17-2021 05:09 AM
It is definitely recommended in a case like yours. As noted, performance will be helped and no additional CPU usage should result.
04-18-2021 10:27 PM
Hi Nikhil,
Kindly go through:
"Enabling object group search reduces memory requirements for access control policies that include network objects. However, it is important to note that object group search might also decrease rule lookup performance and thus increase CPU utilization. You should balance the CPU impact against the reduced memory requirements for your specific access control policy. In most cases, enabling object group search provides a net operational improvement. "
Also:
Regards,
Chakshu
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: