This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NOC_TBL
Explorer
‎2019-05-23 01:51 PM

Firewall rules optimization for CPU and Network throughput

Hi.

This is a tricky question.

What would be the best option to reduce resource usage(CPU usage, throughput) on Checkpoint gateways, while grouping rules? Let me show you an example of a rule where multiple servers consume web APIs/data.

  • 1 rule with all hosts listed as source(thats how he have this rule today inside a Layer - Rule 21.3)
  • 1 rule, all hosts inside a group object, that object as source of the rule
  • 1 rule per source. This makes sense since those hosts access the internet at different rates/bandwidth so, hit count is not equal/balanced among them, but does not make sense if we think top-down rule precedence overhead 

 

FWRULES.JPG

 

What is the best option here?

0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend
‎2019-05-23 04:13 PM

For an R77.30 and R80.10 gateway your first two options end up doing exactly the same thing as far as rulebase lookup overhead, as all groups are expanded out in the compiled INSPECT policy sent to the gateway.

On an R77.30 gateway the third option will cause slightly more rulebase lookup overhead assuming the connections associated with that rule are not able to be templated by SecureXL, due to the top-down, first-fit nature of rulebase lookups in that version.

On an R80.10+ gateway the additional rulebase lookup overhead for option 3 will be negligible, even if the connection can't be templated by SecureXL due to the Column-Based Matching approach to rulebase evaluation used in that version.

If you are on R80.10+ gateway, go with whatever option makes the most sense to you and provides the logging/hit count visibility that you need.

Edit: As far as network throughput, all options are equal.

 

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
George_Ellis
Advisor
‎2021-05-18 08:20 AM

OK, zombie response, but...  For ALL resource optimization, I would consider creating a second rule out of 21.2.  Create a group of your known and trusted DNS servers and use that as a destination.  Then set the rule to no log.  Follow that with the current 21.2 rule.  While is does diminish your DNS inspection (but we know then and trust them to a degree), it reduces logging, handling the logs, and creates a cleaner log view that allows visual clues of other activity to be easier to see.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events