User Preferences

The User Preferences section consists of the Deployment page and the Transactional Commit page. The Deployment page provides access to the Clear XLATE on deployment option. The Transactional Commit page allows you to enable or disable the transactional commit model for access rules or NAT rules.

Configuring Deployment Preferences on Firewall Devices

Use the User Preferences Deployment page to specify deployment options for specific firewall devices. You can create a policy with the deployment options you want to use and then apply that policy to all devices that you want using those deployment settings.

Procedure

Step 1

Do one of the following:

  • (Device view) Select Platform > User Preferences > Deployment from the Device Policy selector.

  • (Policy view) Select PIX/ASA/FWSM Platform > User Preferences > Deployment from the Policy Types selector. Right-click Deployment and choose New Deployment Policy to create a policy, or select an existing policy from the Policies selector

    .

The Deployment page is displayed.

Step 2

Check Clear XLATE on deployment if you want the translation table cleared when a configuration is deployed to this device.

Select this option to send a clear xlate command to the firewall before changes to access lists are made. This command clears all NAT translations. By default this option is not selected.

Note

 
This option is necessary for certain commands to take effect. If these commands are changed, you should make sure this option is enabled for the device. However, clearing the translation table disconnects all current connections that use translations.

Step 3

Click Save at the bottom of the page.

Configuring Transactional Commit Preferences on Firewall Devices

By default, when you change a rule-based policy (such as access rules), the changes become effective immediately. However, this immediacy comes at a slight cost in performance. The performance cost is more noticeable for very large rule lists in a high connections-per-second environment, for example, when you change a policy with 25,000 rules while the ASA is handling 18,000 connections per second.

The performance is affected because the rule engine compiles rules to enable faster rule lookup. By default, the system will also search uncompiled rules when evaluating a connection attempt so that new rules can be applied; since the rules are not compiled, the search takes longer.

Beginning with ASA 9.1(5), you can change this behavior so that the rule engine uses a transactional model when implementing rule changes, continuing to use the old rules until the new rules are compiled and ready for use. Using the transactional model, performance should not drop during the rule compilation. The following table clarifies the behavioral difference.

Model

Before Compilation

During Compilation

After Compilation

Default

Match old rules

Match new rules.

(Connections per second rate will decrease.)

Match new rules.

Transactional

Match old rules

Match old rules.

(Connections per second rate will be unaffected.)

Match new rules.

An additional benefit of the transactional model is that, when replacing an ACL on an interface, there is no gap between deleting the old ACL and applying the new one. This reduces the chances that acceptable connections will be dropped during the operation.


Tip
If you enable the transactional model for a rule type, there are syslog messages to mark the beginning and the end of the compilation. These messages are numbered 780001 and following.

Procedure

Step 1

Do one of the following:

  • (Device view) Select Platform > User Preferences > Transactional Commit from the Device Policy selector.

  • (Policy view) Select PIX/ASA/FWSM Platform > User Preferences > Transactional Commit from the Policy Types selector. Right-click Transactional Commit and choose New Transactional Commit Policy to create a policy, or select an existing policy from the Policies selector.

The Transactional Commit page is displayed.

Step 2

Enable the transactional commit model for the desired features. Options include:

  • Access Group

  • NAT

Step 3

Click Save at the bottom of the page.