https://community.checkpoint.com/t5/Firewall-and-Security-Management/what-makes-firewall-performance-down/m-p/127203#M18437 <P>Short Answer: I don't think it will make a meaningful difference in performance.</P> <P>Long Answer: I assume you would need multiple instances of the first /32 /32 rule as compared to the second rule, which would increase the size of your rulebase.&nbsp; Normally you'd want the rulebase to be as short as possible for optimization purposes, but performance-wise this doesn't matter nearly as much as it used to due to the introduction of column-based matching in R80.10.&nbsp; Technically it would be best to keep your destination columns as specific as possible (especially trying to avoid using "Any" in that field), as column-based matching looks at the Destination column in the first round of matching, and can "throw out" many more non-matching rules in that first round if the Destination columns are as specific as possible, and have far fewer rules to look at during round 2 (source IP) and round 3 (destination port).</P> Tue, 17 Aug 2021 12:16:44 GMT Timothy_Hall 2021-08-17T12:16:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/what-makes-firewall-performance-down/m-p/127194#M18435 <P>Hi Team,</P><P>this is just for general information, that from below, what makes firewall performance degrade, and what will be best practice to configure firewall rules:</P><P>&gt; Configuring specific /32 source host IP and specific /32 host destination IP&nbsp; or&nbsp;</P><P>&gt; Configuring specific server subnet /24&nbsp; as source and /32 as destination.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 17 Aug 2021 11:25:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/what-makes-firewall-performance-down/m-p/127194#M18435 Roshan_Sinha 2021-08-17T11:25:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/what-makes-firewall-performance-down/m-p/127203#M18437 <P>Short Answer: I don't think it will make a meaningful difference in performance.</P> <P>Long Answer: I assume you would need multiple instances of the first /32 /32 rule as compared to the second rule, which would increase the size of your rulebase.&nbsp; Normally you'd want the rulebase to be as short as possible for optimization purposes, but performance-wise this doesn't matter nearly as much as it used to due to the introduction of column-based matching in R80.10.&nbsp; Technically it would be best to keep your destination columns as specific as possible (especially trying to avoid using "Any" in that field), as column-based matching looks at the Destination column in the first round of matching, and can "throw out" many more non-matching rules in that first round if the Destination columns are as specific as possible, and have far fewer rules to look at during round 2 (source IP) and round 3 (destination port).</P> Tue, 17 Aug 2021 12:16:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/what-makes-firewall-performance-down/m-p/127203#M18437 Timothy_Hall 2021-08-17T12:16:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/what-makes-firewall-performance-down/m-p/127211#M18442 <P>adding to&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;, having less rules is always better from the performance perspective. For a single rule, it does not matter if you use a subnet, a group of host objects or just list all those hosts in the rule. That said, you also need to consider your own administrative effort to build this rule.</P> Tue, 17 Aug 2021 12:38:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/what-makes-firewall-performance-down/m-p/127211#M18442 _Val_ 2021-08-17T12:38:43Z