User`s guide
XSR User’s Guide 335
Chapter 13 Firewall Limitations
Configuring Security on the XSR
Firewall Limitations
Consider the following caveats regarding firewall operations:
Gating Rules - Internal XSR gating rules, which order traffic filtering,
are stored in a temporary file in Flash. Because one gating rule exists
for each network source/destination expansion, a potentially
enormous number of rules can be generated by just a single firewall
policy. For example, when a large network that has an
ANY_INTERNAL group with 200 network addresses is used as the
source address, and another group of 10 network addresses is used as
the destination address, 2000 gating rules are defined for the policy.
Accordingly, a limit is applied to their total, depending on the
amount of installed RAM (Refer to Table 13). Also, be aware that each
bidirectional policy produces two gating rules per address pair.
Because gating rules must be unique, those policies which create
multiple gating rules when source or destination addresses are
network group objects will have a gating rule extension appended to
the actual policy name that was entered in the CLI command.
Firewall log messages specifying the policy name will display the
following, for example:
Log: TCP, Policy P_intExtFtp_0-2, 10.10.10.100(1033)->
20.20.20.100(21)
where P-intExtFtp is the CLI policy name and
_0-2 is the gating rule extension.
Memory Limits - The number of permitted firewall objects are
constrained by the size of installed RAM in the XSR as follows:
Table 13 Firewall Limitations
Firewall Objects
XSR 1800
@32MB
XSR 1800
@64MB
XSR 18/3000
@128
XSR 3000
@256
Networks 20 400 600 1000
Services 50 400 600 1000
Network Groups 5 100 200 500
Service Groups 10 100 200 500
Policies 30 500 1000 3000
Filters 30 500 1000 3000