Prior to the ability to do Country Blocking, one of my clients had a blackhole DNAT with dozens of entries in the "Spammers" Network Group. The most-efficient is Network definitions that use CIDR notation. Small groups of those are usually best. Although Range definitions are possible, they are not efficient and are limited to subnets smaller than a /16.
What problem are you trying to solve?
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
For some reason, the number 4096 comes to mind, but I could easily be mis-remembering. Performance will suffer badly way before anything approaching this kind of number is reached though.
__________________ ACE v8/SCA v9.3
...still have a v5 install disk in a box somewhere.
I want to know the limit of an Network Group definition. Before I run into it.
I guess I should have said that you aren't using WebAdmin in an optimal fashion if this is on your radar, and that you should come back here when you think that you have a designed a solution that would require such large groups.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
