Filter
Top Products
16-22
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 16 Managing Firewall Access Rules
Configuring Settings for Access Control
Field Reference
Table 16-5 Access Control Settings Page
Element Description
Maximum number of
concurrent flows (PIX, ASA,
FWSM)
(not presented on the IPv6
Access Control page)
The maximum number of concurrent deny flows that the device is
allowed to create. Syslog message 106101 is generated when the device
reaches the number. The range you should use depends on the amount
of flash memory available in the device:
• More than 64 MB—Values are 1-4096. The default is 4096.
• More than 16 MB—Values are 1-1024. The default is 1024.
• Less than or equal to 16 MB—Values are 1-256. The default is 256.
Syslog interval (PIX, ASA,
FWSM)
(not presented on the IPv6
Access Control page)
The interval of time for generating syslog message 106101, which
alerts you that the security appliance has reached a deny flow
maximum. When the deny flow maximum is reached, another 106101
message is generated if the specified number of seconds has passed
since the last 106101 message. Values are 1-3600 milliseconds. The
default is 300.
Enable Access List
Compilation (Global)
(IPv4 only; also not
presented on the IPv6 Access
Control page)
Whether to compile access lists, which speeds up the processing of
large rules tables. Compilation optimizes your policy rules and
performance for all ACLs, but is supported on a limited number of older
platforms:
• Routers (global configuration only): 7120, 7140, 7200, 7304, and
7500.
• PIX 6.3 firewalls, in global mode or per interface.
An ACL is compiled only if the number of access list elements is
greater than or equal to 19. The maximum recommended number of
entries is 16,000.
To compile access lists, the device must have a minimum of 2.1 MB of
memory. Access list compilation is also known as Turbo ACL.
Enable Object Group Search
(ASA 8.3+)
(not presented on the IPv6
Access Control page)
Whether to enable object group search on ASA 8.3+ devices, which
optimizes ACL performance without expanding object groups. Object
group search is mainly for use when migrating from Checkpoint to
ASA, which can result in a large increase in the number of access rules,
when you have a memory-constrained device (that is, you find during
operations that memory runs low).
If you enable object group search, you cannot use the Hit Count tool to
analyze your rules. In most cases, you should not enable this feature.
Instead, use the rule combination tool to simplify your access rules, and
consider using global rules for rules you want to enforce on all
interfaces.