ACL Limits on Firepower Threat Defense

by Oliver Kaiser
Published: Last Updated on
Thumbnail

Ever wondered how many access-list items are supported on Firepower Threat Defense? Just like ASA, Firepower Threat Defense uses the same concept of ACEs (Access-Control Entries) for its stateful inspection firewall engine (LINA). Each access control entry consists of a 5-tuple (Source IP, Destination IP, Source Port, Destination Port and Protocol), with each entry using a minimum of 212 bytes of memory.

Why should I care?

212 bytes of memory sounds like a drop in a pond, but think of it like this. For each source/destination ip address and each source/destination ports within a rule the number of access-control entries are being multiplied. Take the following example:

Source IPSource PortDestination IPDestination PortProtocol
198.18.1.11000198.19.1.180TCP

By multiplying the number of entries in each fields we get the number of ACEs that will be generated:
1 (Source IP) x 1 (Source Port) x 1 (Destination IP) x 1 (Destination Port) x 1 (Protocol) = 1

Let’s take a more realistic rule that can be found on a lot of firewalls – permitting Active Directory access from different network segments to a variety of domain controllers

Source IPSource PortDestination IPDestination PortProtocol
198.18.1.0/24
198.18.2.0/24
198.18.3.0/24
198.18.4.0/24
198.18.5.0/24
198.18.6.0/24
198.18.7.0/24
198.19.1.1
198.19.1.2
198.19.1.3
198.19.1.4
198.19.1.5
198.19.1.6
198.19.1.7
53
88
135
389
636
3268
3269
TCP

By doing the same simple math yet again we multiply all our entries and end up with quite a lot of ACEs
7 (Source IP) x 7 (Destination IP) x 7 (Destination Port) x 1 (Protocol) = 343

Now you might understand why the maximum number of recommended access-control entries can be quite important when sizing a Firepower Threat Defense deployment… or atleast it was a lot more important before Firepower 6.6.0 was released.

Object-Group Search to the Rescue

Since the expansion of rules can cause a lot of AC entries to be created, a new feature was introduced to solve (or move?) the problem of high memory usage to the Firewalls CPU. Using the OGS feature object-groups will not be expanded upon configuration deployments, but be resolved using a lookup procedure at runtime. This way the amount of memory required to load AC entries can be decreased while the burden is pushed on the CPU to resolve the objects referenced in your accesspolicy.

OGS is disabled by default and in case FMCs Health Monitoring does not indicate any memory shortages on the Firewall side I would recommend leaving it turned off. However if you are ever get into a situation where your ruleset is too large for the underlying hardware you can just enable OGS in Device settings (just make sure your CPU is not at its limit as well):

Devices > Device Management > FTD01.EXAMPLE.COM > Device

Recommended Limits by Hardware

PlatformRecommended Limit
ASA 5506-X12.500
ASA 5508-X50.000
ASA 5516-X125.000
ASA 5525-X150.000
ASA 5545-X250.000
ASA 5555-X250.000
Firepower 101015.000
Firepower 1120125.000
Firepower 1140150.000
Firepower 1150250.000
Firepower 211050.000
Firepower 212075.000
Firepower 2130300.000
Firepower 2140375.000
Firepower 41102.250.000
Firepower 41152.500.000
Firepower 41202.250.000
Firepower 41252.750.000
Firepower 41402.250.000
Firepower 41453.000.000
Firepower 41503.000.000
Firepower 9300 SM-242.250.000
Firepower 9300 SM-362.250.000
Firepower 9300 SM-406.000.000
Firepower 9300 SM-443.000.000
Firepower 9300 SM-486.000.000
Firepower 9300 SM-566.000.000
ACE Limits

Do you want to know how many ACEs your configuration currently consists of? Just SSH to your FTD device and execute the following handy command:

show access-list | include elements

0 comment
0

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

Related Posts