Ted James
asked on
ASA limits
I've been asked several questions about our team's deployment of ASA 5515 firewalls across an enterprise. Cannot find these answers in Cisco documentation.
First two questions:
1. What is the limit of levels in nested object-groups for the ASA? I found that for Cisco IOS firewall, there is no limit but they recommend limiting to two levels of nesting. And in Firepower documentation I found the limit for that is 10. But nothing found for ASA itself.
2. Is there background data for Cisco recommendation for <100 ACEs for ASA 5515? There is a recommendation of <100K, but it is not a hard limit, but just a cpu and memory consideration. There is no test data I can find for the 5515 (for other models, yes there is data, but not for the 5515). Has anyone looked at this, and has any finding? We are over 200K but the cpu usage and used memory levels are still pretty low.
Thanks
Ted
First two questions:
1. What is the limit of levels in nested object-groups for the ASA? I found that for Cisco IOS firewall, there is no limit but they recommend limiting to two levels of nesting. And in Firepower documentation I found the limit for that is 10. But nothing found for ASA itself.
2. Is there background data for Cisco recommendation for <100 ACEs for ASA 5515? There is a recommendation of <100K, but it is not a hard limit, but just a cpu and memory consideration. There is no test data I can find for the 5515 (for other models, yes there is data, but not for the 5515). Has anyone looked at this, and has any finding? We are over 200K but the cpu usage and used memory levels are still pretty low.
Thanks
Ted
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm going to close this question.
I have another one regarding ASA logging to include user and user id information in the logs, and I'll open a separate question for that one. So I hope you look out for that one and comment on it.
Thanks!