cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Maximum Policy Number's.

Hi Guys,

We have 5600-NGTP device, we need to what is the maximum rule number can you added or supported by this firewall. And is the anyway to check for other devices also.

I have gone through the datasheet but unable to get it.

We are concerning it because we are already in the middle amount of CPU and memory usage of this firewall's. We are worried to add more rule on it.

Since this device is placed on the Service provider network so we already crossed more than 1950 rule's but still we are having the requirement's add the rule's.

Regards,

Vengatesh SR

0 Kudos
3 Replies
Admin
Admin

Re: Maximum Policy Number's.

There is no specific limit to the number of rules you can run on any of our appliances.

That said, if you have ~2k rules, managing the rulebase can become problematic.

It's likely you may have some duplicate or redundant rules or can combine some rules.

Also, types and order of rules will have more of a CPU impact than the number of rules.

General performance troubleshooting steps are probably in order.

You can start here: Best Practices - Security Gateway Performance 

You may also benefit from a SmartOptimize exercise with Check Point Professional Services.

0 Kudos

Re: Maximum Policy Number's.

there is also another way to make these type of policies more readable and les error prone, that would be by using layers, you say you are running this box in an ISP environment. When you can start with grouping specific networks' access to other networks, you could create a layerbeneath that contraolling what they are allowed to do to each other in more detail.

This way you can create multiple main rules and multiple inline layers controlling the details per specific access group.

In these type of policies that is mostly the best way to improve the readability and prevent errors.

An example could be: main rule allow internet access to a DMZ network on a group of services, in the inline layer you can the allow any to smtp server with service  SMTP, allow any to the webserver with http and https.

Regards, Maarten
0 Kudos

Re: Maximum Policy Number's.

If you use more then 2K-3K rules, the performance goes down with smaller appliances.

I would work with subsequence rules here at R80+.

With so many rules, I'd think about your rule design, too. If necessary, you should simplify the ruleset.

0 Kudos