cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Performance Issue Due to Disabled Rule

Hello

Will it be any performance issue due to the existence of disabled rules in the firewall policy table , where those disabled rules are placed scatter within top/down   

0 Kudos
5 Replies

Re: Performance Issue Due to Disabled Rule

Hi,

I don't think it will be performance issue as if you disable the rule, firewall will not check it. For more information refer below SK.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Admin
Admin

Re: Performance Issue Due to Disabled Rule

It won't hurt performance, but it won't necessarily improve it, either.

For example, if you disable a rule that disables SecureXL templates, rules below that rule will still not benefit from SecureXL templates. 

Re: Performance Issue Due to Disabled Rule

Disabled rules are not actually included in the firewall's compiled policy that it receives, you can verify this by looking in the $FWDIR/state/__tmp/local.set file on the firewall.  At a minimum there is a placeholder for all rules in that file (including the disabled ones) specifying their UID but that is it. 

Dameon disabling a rule that is halting SecureXL templating actually will permit templating to continue, please see the screenshots below from R80.10 concerning rule #7:

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Admin
Admin

Re: Performance Issue Due to Disabled Rule

You might want to double-check that on R77.30, as at least from what I observed, it still did disable templates. Nice we fixed it on R80.10, though.
0 Kudos

Re: Performance Issue Due to Disabled Rule

Dameon, we had same issue and by disabling the policy, templating continued below and the performance was improved.

Service with a port number range policy was disabled.