Class Name
|
Enter a name for this class; can be a string of up to 20 alphanumeric characters, and may include any of the following special
characters: ` ( ) + - , . / : =.
|
Limits Tab
|
Note
|
For the following Limits, if you do not specify a value for a particular limit, the limit is inherited from the default class.
If the default class does not set that limit, the limit inherits the system limit. Also, any value you enter is considered
to be that rate per second
, unless you also check the related percent box, in which case the value is that percentage of the total resource.
|
|
TCP or UDP Connections
|
Sets a Rate Limit for TCP or UDP connections between any two hosts, including connections between one host and multiple other
hosts. You can set the limit as an absolute value by entering an integer between 0 (system limit) and 102400, or you can assign
more than 100 percent if you want to oversubscribe the device.
|
Inspections (Fixups)
|
Sets a Rate Limit for application inspections. You can set the limit as an absolute value by entering an integer between 0
(system limit) and 10000 per second, or you can assign more than 100 percent if you want to oversubscribe the device.
|
Syslog Messages
|
Sets a Rate Limit for system log messages. You can set the limit as an absolute value, or you can assign more than 100 percent
if you want to oversubscribe the device.
The FWSM can support 30,000 messages per second for messages sent to the FWSM terminal or buffer. If you send messages to
a syslog server, the FWSM supports 25,000 per second.
|
Connections
|
Sets the Absolute Limit for concurrent TCP or UDP connections. You can set the limit as an absolute value by entering an integer
between 0 (system limit) and 999900, or you can assign more than 100 percent if you want to oversubscribe the device.
Note
|
For concurrent connections, the FWSM allocates half of the limit to each of two network processors (NPs) that accept connections.
Typically, the connections are divided evenly between the NPs. However, in some circumstances, the connections are not evenly
divided, and the maximum connection limit could be reached on one NP before reaching the maximum on the other. In this case,
the maximum connections allowed is less than the limit you set. The NP distribution is controlled by the switch, based on
a distribution algorithm. You can adjust this algorithm on the switch, or you can adjust the connection limit upward to account
for the inequity.
|
|
Hosts
|
Sets the limit for concurrent hosts that can connect through the FWSM. You can set the limit as an absolute value by entering
an integer between 0 (system limit) and 262144, or you can assign more than 100 percent if you want to oversubscribe the device.
|
IPsec Sessions
|
Sets the limit for IPsec sessions. You can set the limit as an absolute value by entering an integer between 1 and 5, or you
can assign more than 100 percent if you want to oversubscribe the device. The system allows a maximum of 10 concurrent sessions
divided between all contexts.
|
SSH Sessions
|
Sets the limit for SSH sessions. You can set the limit as an absolute value by entering an integer between 1 and 5, or you
can assign more than 100 percent if you want to oversubscribe the device. The system allows a maximum of 100 concurrent sessions
divided between all contexts.
|
Telnet Sessions
|
Sets the limit for concurrent Telnet sessions. You can set the limit as an absolute value by entering an integer between 1
and 5, or you can assign more than 100 percent if you want to oversubscribe the device. The system allows a maximum of 100
concurrent sessions divided between all contexts.
|
NAT Translations
|
Sets the limit for concurrent address translations. You can set the limit as an absolute value by entering an integer between
0 (system limit) and 266144, or you can assign more than 100 percent if you want to oversubscribe the device.
|
MAC Address
|
(Transparent mode only) Sets the limit for concurrent MAC address entries allowed in the MAC address table. You can set the
limit as an absolute value by entering an integer between 0 (system limit) and 65535, or you can assign more than 100 percent
if you want to oversubscribe the device.
|
ASDM
|
Sets the limit for ASDM management sessions (the default is 5). You can set the limit as an absolute value by entering an
integer between 1 and 5, or you can enter a percentage between 3.0 and 15.0. The system allows a maximum of 80 concurrent
sessions divided between all contexts.
ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes
that is present only when you make changes. For example, the system limit of 80 ASDM sessions represents a limit of 160 HTTPS
sessions, divided between all contexts.
|
Other VPN
|
Sets the limit for Site-to-site VPN sessions. You cannot oversubscribe this resource; all context assignments combined cannot
exceed the model limit. The sessions you assign for this resource are guaranteed to the context.
|
Other VPN Burst
|
Sets the limit for the number of site-to-site VPN sessions allowed beyond the amount assigned to a context with vpn other.
For example, if your model supports 5000 sessions, and you assign 4000 sessions across all contexts with vpn other, then the
remaining 1000 sessions are available for other vpn burst. Unlike other vpn, which guarantees the sessions to the context,
other vpn burst can be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.
|
Note
|
The maximum value for Anyconnect VPN and Anyconnect VPN Burst depends on ASA licenses. Cisco Security Manager cannot validate
the values entered for Anyconnect VPN and Anyconnect VPN Burst. Therefore, the user should make sure that the values for Anyconnect
VPN and Anyconnect VPN Burst are within the maximum values; else it results in a deployment error. To find the maximum value,
telnet into ASA and execute the show version command. The Total VPN Peers value corresponds to the maximum value.
|
|
Anyconnect VPN
|
Secure Client peers. You cannot oversubscribe this resource; all context assignments combined cannot exceed the model limit. The peers
you assign for this resource are guaranteed to the context.
|
Anyconnect VPN Burst
|
The number of Secure Client sessions allowed beyond the amount assigned to a context with Secure Client. For example, if your model supports 5000 peers, and you assign 4000 peers across all contexts with Secure Client, then the remaining 1000 sessions are available for AnyConnect Burst. Unlike Secure Client, which guarantees the sessions to the context, AnyConnect Burst can be oversubscribed; the burst pool is available to all
contexts on a first-come, first-served basis.
|
Storage
|
Beginning with version 4.12, Security Manager enables you to enter the storage size or select Default. This feature is available
for ASA version 9.6(2) or later. The limit is set in MB. The default limit is 100% of the disk configured since this storage
cannot span multiple disks.
|
All Resources Limit
|
Sets a limit for all resources. If you also set the limit for a specific resource, then that limit overrides the limit you
set here for all resources. You can set the limit as a percentage, or as unlimited by setting the value to 0 (when percent is not checked). You cannot set any other absolute value. You can assign more than 100 percent if you want to oversubscribe
the device.
|
Contexts Tab
|
Available Contexts
|
Lists all contexts available for class assignments; contexts which already have class assignments are not displayed.
Select one or more contexts and click the >> button to add the contexts to the Selected Contexts list.
|
Selected Contexts
|
Lists all contexts assigned to this class.
Select one or more contexts and click the << button to return the contexts to the Available Contexts list.
|