When working with Cisco FTD devices, there are well-documented limitations — such as max throughput and concurrent sessions — that you can find directly on Cisco's website. However, some limitations are only surfaced through less direct channels, such as Cisco Live sessions. One example is the maximum Access Control Entry (ACE) count per platform.
The ACE limits referenced in this post were shared during a Cisco Live breakout session in 2024. If your device is approaching its maximum ACE threshold, you should consider enabling Object Group Search (OGS). Starting with version 7.2, OGS is enabled by default on new deployments — so unless you've manually disabled it, or you're running a pre-7.2 release (or upgraded from one with OGS previously disabled), you'll want to verify it's turned on.
Keep in mind that OGS does require additional CPU resources, and the deployment that enables it triggers an ACL recompile which can be disruptive to system operation. For this reason, it's best to make the change during a scheduled maintenance window.
To enable OGS: FMC → Devices → Device Management → Select desired firewall → Device tab → Advanced Settings → Edit → Check: Object Group Search
