Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jin_Zhou
Contributor

Does heavy hit rule position still matter on performance?

I need to move some heavy hit rules from top to bottom and wonder if this will affect gateway performance on modern firewalls such Checkpoint. Thanks.

0 Kudos
8 Replies
the_rock
Legend
Legend

I will let others give their feedback, but personally, I only found that to matter in pre R80 versions.

G_W_Albrecht
Legend
Legend

Adjusting rule position will not change fw performance anymore - but you are able to identify unmatched rules that can be disabled after some time to lower the number of rules.

CCSE CCTE CCSM SMB Specialist
K_montalvo
Advisor

Excellent recommendation!

0 Kudos
Timothy_Hall
Champion
Champion

In gateway versions R80.10 and later, it won't make a difference.  The relevant new feature is Column-based Matching which is enabled by default.  Not strictly necessary, but if you can limit as much as possible using "Any" in the Destination column of your rules it will help maximize the gains provided by this feature: Unified Policy Column-based Rule Matching.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
_Val_
Admin
Admin

@Timothy_Hall with all due respect, I would rather say, it won't make much of a difference.

Moving a heavily used rule down in the policy will actually require more CPU cycles to match. It is just with R8x family, it requires much less efforts than with R7x. There still be minor performance drag, depending on how big is the policy. 

Saying it will not matter at all is not 100% correct 🙂

Timothy_Hall
Champion
Champion

In my experience moving rules around even in very large policies does not make a measurable difference in CPU use in R80.10+.  But I would agree the difference is not zero, and in the real world probably not worth the administrator's time to analyze and move rules around for this form of optimization.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

I agree with both of you @Timothy_Hall and @_Val_ . In my experience as well, difference is so minor, that it might not be worth spending too much time on it...

Chris_Atkinson
Employee Employee
Employee

sk32578 talks to some version specific edge cases (mostly historic) as the others have alluded to but generally speaking you should be fine.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events