topic Security Policy optimisation in Firewall and Security Management

Security Policy optimisation

Gladstone_Abati — Fri, 23 Aug 2019 09:14:34 GMT

Hello All

This is a quick question: I am faced with an issue of where to place Identity Awareness policy rule in the security policy on the management server?

I was under the impression that since this rule has the most hit count, it need to be placed towards the top of the rule base, but I was advised this rule, need to be placed towards the bottom of the rule base since it requires more processing because it utilises the firewall hold limit queue. Reason being not to affect the connection table. Any help on this issue will be well appreciated.

Kind regards.

Gladstone Abati-George

Re: Security Policy optimisation

Vato_Chantladze — Fri, 23 Aug 2019 10:23:31 GMT

Hi!

I think this question should be moved into Management section, not here.

Regarding the question, it depends. Can you show us Rule itself? Who suggested you to make this kind rule changes, R&D? Maybe they found some specific details. We need more information regarding this case.

Vato

Re: Security Policy optimisation

Timothy_Hall — Fri, 23 Aug 2019 14:26:55 GMT

Moving rules with high hit counts further up in the rulebase was a longstanding recommendation to help reduce the CPU overhead of rule base lookups in R77.30 gateway and earlier. However due to the new Column-based matching feature which is enabled by default in R80.10+ gateway, moving frequently-hit rules towards the top of the policy provides only minimal gains and is probably not worth your time to pursue.

For known users the gateway already has a user to IP mapping in its cache (along with group memberships) by the time a user's traffic reaches the gateway, so I don't see why moving a rule utilizing an IA access role downwards would be a recommendation here unless you are also using something like Domain objects in the same rule or perhaps invoking the Captive Portal.