Overview

While adding long entries to the FAF (Firewall Advanced Filter) list, you receive the following alert StringListExceedMaxLengthAlert, and you wish to know how you should proceed.

You may further wish to know if you can set the attribute maxlistlength to 64,000 bytes, which is the maximum permissible value, without it impacting system performance.

Solution

Please refer to the FAF Operator Manual> Section 3.9> Lists for the information contained below.

The FAF supports up to 100 lists, and each list can contain up to 1000 entries. The semi-static configuration attribute maxlistlength controls the maximum internal memory units that the FAF can use for each list. Its range is 6400 to 64,000 bytes (the default is 6400). For example, if maxlistlength is set to 6400, then in a list with 100 entries, each entry can be 64 bytes. If the list had 1000 entries, each entry could be 6.4 bytes.

This functionality allows you to optimise the FAF's memory usage, depending on the content filtering that you want to do. For example, if your list of sensitive words is less than 6400 bytes, setting maxlistlength to 6400 will allow the FAF to allocate enough internal memory units for your list, without allocating unneeded memory units that will impact performance. If you provision a list that is too large for the allocated memory to hold it, the FAF will write a warning message in the syslog.

Based on the above, we recommend that you set a value based on your list of sensitive words, since the alerts mean that the list is too large for the currently allocated memory. We recommend a value in 6400 intervals, so the next suggested value would be 12800.

Please also note that allocating unneeded memory units will impact performance. So as such, it's a matter of testing a sensible value without directly jumping to the permitted max value. Since maxlistlength is set with the default value (6400 bytes), it's important to monitor syslog regarding possible alarms related to memory allocated, and if needed, maxlistlength can be increased.

So, you should monitor the memory usage and syslog for FAF volume filters and if necessary, increase the memory accordingly. The lower the memory limit is set, the less accurate the volume condition will work. Therefore, it's important to determine and configure a sensible value for this parameter. Please check FAF Memory Dimensioning in the FAF Operator Manual for more details.