37-12
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 37 Configuring Access Rules
Configuring Access Rules
At the end of each interval, the ASA resets the hit count to 0. If no packets match the access rule during
an interval, the ASA deletes the flow entry.
A large number of flows can exist concurrently at any point of time. To prevent unlimited consumption
of memory and CPU resources, the ASA places a limit on the number of concurrent deny flows; the limit
is placed only on deny flows (and not permit flows) because they can indicate an attack. When the limit
is reached, the ASA does not create a new deny flow until the existing flows expire. If someone initiates
a denial of service attack, the ASA can create a very large number of deny flows in a very short period
of time. Restricting the number of deny-flows prevents unlimited consumption of memory and CPU
resources.
Prerequisites
These settings only apply if you enable the newer logging mechanism for the access rule.
Fields
• Maximum Deny-flows—The maximum number of deny flows permitted before the ASA stops
logging, between 1 and the default value. The default is 4096.
• Alert Interval—The amount of time (1-3600 seconds) between system log messages (number
106101) that identify that the maximum number of deny flows was reached. The default is 300
seconds.
• Per User Override table—Specifies the state of the per user override feature. If the per user override
feature is enabled on the inbound access rule, the access rule provided by a RADIUS server replaces
the access rule configured on that interface. If the per user override feature is disabled, the access
rule provided by the RADIUS server is combined with the access rule configured on that interface.
If the inbound access rule is not configured for the interface, per user override cannot be configured.
• Object Group Search Setting—Reduces the amount of memory used to store service rules, but
lengthens the amount of time to search for a matching access rule.
Access Rule Explosion
The security appliance allows you to turn off the expansion of access rules that contain certain object
groups. When expansion is turned off, an object group search is used for lookup, which lowers the
memory requirements for storing expanded rules but decreases the lookup performance. Because of the
trade-off of performance for memory utilization, you can turn on and turn off the search.
To configure the option of turning off the expansion of access rules that contain s, perform the following
steps:
Step 1 Choose Configuration > Firewall > Access Rules.
Step 2 Click the Advanced button.
Step 3 Check the Enable Object Group Search Algorithm check box.
Configuring HTTP Redirect
The HTTP Redirect table displays each interface on the ASA, shows whether it is configured to redirect
HTTP connections to HTTPS, and the port number from which it redirects those connections.