cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Vladimir
Pearl

How are the group objects being processed by the policy?

Jump to solution

Somewhat trivial question, but I am interested in the impact the group objects have on policy.

If, for example, we have a single source and a destination comprised of 250 objects, will this result in firewall "creating" 250 virtual rules to process the parent rule?

If the group members are IP addresses, how are they sorted for processing?

If the "last" IP is the one with most hits, does this imply that the preceding objects in the group slowing overall rule processing? 

0 Kudos
1 Solution

Accepted Solutions

Re: How are the group objects being processed by the policy?

Jump to solution

There is a big change in enforcement logic between R77 and R80.10 The latter is briefly viewed here: CCMA's blog: CPET session 2 recording is out there 

But for the purpose your question, the answer is simple. A group is used for either Source or Destination. FW will try to match those fields as they are. That means, it will check if IP address is part of the listed objects. In other words, no "virtual rules", just a simple search to match an IP.

0 Kudos
2 Replies
Employee+
Employee+

Re: How are the group objects being processed by the policy?

Jump to solution

Rules containing multiple objects will just contain those objects (without creating multiple virtual rules).

In the multiple addresses example you've mentioned the rule will contain all the 250 addresses. Those will be sorted and compact to ranges.

0 Kudos

Re: How are the group objects being processed by the policy?

Jump to solution

There is a big change in enforcement logic between R77 and R80.10 The latter is briefly viewed here: CCMA's blog: CPET session 2 recording is out there 

But for the purpose your question, the answer is simple. A group is used for either Source or Destination. FW will try to match those fields as they are. That means, it will check if IP address is part of the listed objects. In other words, no "virtual rules", just a simple search to match an IP.

0 Kudos