User Preferences
The User Preferences section consists of the Deployment page and the Transactional Commit page. The Deployment page provides access to the
Clear XLATE on deployment
option. The Transactional Commit page allows you to enable or disable the transactional commit model for access rules or NAT rules.
Configuring Deployment Preferences on Firewall Devices
Use the User Preferences Deployment page to specify deployment options for specific firewall devices. You can create a policy with the deployment options you want to use and then apply that policy to all devices that you want using those deployment settings.
Step 1 Do one of the following:
-
(Device view) Select
Platform > User Preferences > Deployment
from the Device Policy selector.
-
(Policy view) Select
PIX/ASA/FWSM Platform > User Preferences > Deployment
from the Policy Types selector. Right-click
Deployment
and choose
New Deployment Policy
to create a policy, or select an existing policy from the Policies selector.
The Deployment page is displayed.
Step 2 Check
Clear XLATE on deployment
if you want the translation table cleared when a configuration is deployed to this device.
Select this option to send a
clear xlate
command to the firewall before changes to access lists are made. This command clears all NAT translations. By default this option is not selected.
Note This option is necessary for certain commands to take effect. If these commands are changed, you should make sure this option is enabled for the device. However, clearing the translation table disconnects all current connections that use translations.
Step 3 Click
Save
at the bottom of the page.
Configuring Transactional Commit Preferences on Firewall Devices
By default, when you change a rule-based policy (such as access rules), the changes become effective immediately. However, this immediacy comes at a slight cost in performance. The performance cost is more noticeable for very large rule lists in a high connections-per-second environment, for example, when you change a policy with 25,000 rules while the ASA is handling 18,000 connections per second.
The performance is affected because the rule engine compiles rules to enable faster rule lookup. By default, the system will also search uncompiled rules when evaluating a connection attempt so that new rules can be applied; since the rules are not compiled, the search takes longer.
Beginning with ASA 9.1(5), you can change this behavior so that the rule engine uses a transactional model when implementing rule changes, continuing to use the old rules until the new rules are compiled and ready for use. Using the transactional model, performance should not drop during the rule compilation. The following table clarifies the behavioral difference.
|
|
|
|
Default
|
Match old rules.
|
Match new rules.
(Connections per second rate will decrease.)
|
Match new rules.
|
Transactional
|
Match old rules.
|
Match old rules.
(Connections per second rate will be unaffected.)
|
Match new rules.
|
An additional benefit of the transactional model is that, when replacing an ACL on an interface, there is no gap between deleting the old ACL and applying the new one. This reduces the chances that acceptable connections will be dropped during the operation.
Tip If you enable the transactional model for a rule type, there are syslog messages to mark the beginning and the end of the compilation. These messages are numbered 780001 and following.
Step 1 Do one of the following:
-
(Device view) Select
Platform > User Preferences > Transactional Commit
from the Device Policy selector.
-
(Policy view) Select
PIX/ASA/FWSM Platform > User Preferences > Transactional Commit
from the Policy Types selector. Right-click
Transactional Commit
and choose
New Transactional Commit Policy
to create a policy, or select an existing policy from the Policies selector.
The Transactional Commit page is displayed.
Step 2 Enable the transactional commit model for the desired features. Options include:
Step 3 Click
Save
at the bottom of the page.