https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142186#M25289 <P>I need to move some heavy hit rules from top to bottom and wonder if this will affect gateway performance on modern firewalls such Checkpoint. Thanks.</P> Tue, 22 Feb 2022 15:36:18 GMT Jin_Zhou 2022-02-22T15:36:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142186#M25289 <P>I need to move some heavy hit rules from top to bottom and wonder if this will affect gateway performance on modern firewalls such Checkpoint. Thanks.</P> Tue, 22 Feb 2022 15:36:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142186#M25289 Jin_Zhou 2022-02-22T15:36:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142187#M25290 <P>I will let others give their feedback, but personally, I only found that to matter in pre R80 versions.</P> Tue, 22 Feb 2022 15:39:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142187#M25290 the_rock 2022-02-22T15:39:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142190#M25291 <P>Adjusting rule position will not change fw performance anymore - but you are able to identify unmatched rules that can be disabled after some time to lower the number of rules.</P> Tue, 22 Feb 2022 15:43:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142190#M25291 G_W_Albrecht 2022-02-22T15:43:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142194#M25292 <P>In gateway versions R80.10 and later, it won't make a difference.&nbsp; The relevant new feature is Column-based Matching which is enabled by default.&nbsp; Not strictly necessary, but if you can limit as much as possible using "Any" in the Destination column of your rules it will help maximize the gains provided by this feature:&nbsp;<A id="link_11" href="https://community.checkpoint.com/t5/Management/Unified-Policy-Column-based-Rule-Matching/m-p/9888?search-action-id=39799898198&amp;search-result-uid=9888" target="_blank">Unified Policy&nbsp;Column-based&nbsp;Rule&nbsp;Matching.</A></P> Tue, 22 Feb 2022 16:05:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142194#M25292 Timothy_Hall 2022-02-22T16:05:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142197#M25293 <P>Excellent recommendation!</P> Tue, 22 Feb 2022 16:19:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142197#M25293 K_montalvo 2022-02-22T16:19:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142271#M25294 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;with all due respect, I would rather say, it won't make <U><EM>much</EM></U> of a difference.</P> <P>Moving a heavily used rule down in the policy will actually require more CPU cycles to match. It is just with R8x family, it requires <EM><U>much less</U></EM> efforts than with R7x. There still be minor performance drag, depending on how big is the policy.&nbsp;<BR /><BR />Saying it will not matter at all is not 100% correct <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 23 Feb 2022 08:27:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142271#M25294 _Val_ 2022-02-23T08:27:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142302#M25295 <P>In my experience moving rules around even in very large policies does not make a measurable difference in CPU use in R80.10+.&nbsp; But I would agree the difference is not zero, and in the real world probably not worth the administrator's time to analyze and move rules around for this form of optimization.</P> Wed, 23 Feb 2022 13:23:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142302#M25295 Timothy_Hall 2022-02-23T13:23:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142303#M25296 <P>I agree with both of you&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/597">@Timothy_Hall</a>&nbsp;and&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/181">@_Val_</a>&nbsp;. In my experience as well, difference is so minor, that it might not be worth spending too much time on it...</P> Wed, 23 Feb 2022 13:30:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142303#M25296 the_rock 2022-02-23T13:30:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142356#M25297 <P><SPAN>sk32578 talks to some version specific edge cases (mostly historic) as the others have alluded to but generally speaking you should be fine.</SPAN></P> Thu, 24 Feb 2022 01:09:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Does-heavy-hit-rule-position-still-matter-on-performance/m-p/142356#M25297 Chris_Atkinson 2022-02-24T01:09:23Z