Create a Post
Showing results for 
Search instead for 
Did you mean: 

Firewall rules optimization for CPU and Network throughput


This is a tricky question.

What would be the best option to reduce resource usage(CPU usage, throughput) on Checkpoint gateways, while grouping rules? Let me show you an example of a rule where multiple servers consume web APIs/data.

  • 1 rule with all hosts listed as source(thats how he have this rule today inside a Layer - Rule 21.3)
  • 1 rule, all hosts inside a group object, that object as source of the rule
  • 1 rule per source. This makes sense since those hosts access the internet at different rates/bandwidth so, hit count is not equal/balanced among them, but does not make sense if we think top-down rule precedence overhead 




What is the best option here?

0 Kudos
2 Replies

For an R77.30 and R80.10 gateway your first two options end up doing exactly the same thing as far as rulebase lookup overhead, as all groups are expanded out in the compiled INSPECT policy sent to the gateway.

On an R77.30 gateway the third option will cause slightly more rulebase lookup overhead assuming the connections associated with that rule are not able to be templated by SecureXL, due to the top-down, first-fit nature of rulebase lookups in that version.

On an R80.10+ gateway the additional rulebase lookup overhead for option 3 will be negligible, even if the connection can't be templated by SecureXL due to the Column-Based Matching approach to rulebase evaluation used in that version.

If you are on R80.10+ gateway, go with whatever option makes the most sense to you and provides the logging/hit count visibility that you need.

Edit: As far as network throughput, all options are equal.



Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
0 Kudos

OK, zombie response, but...  For ALL resource optimization, I would consider creating a second rule out of 21.2.  Create a group of your known and trusted DNS servers and use that as a destination.  Then set the rule to no log.  Follow that with the current 21.2 rule.  While is does diminish your DNS inspection (but we know then and trust them to a degree), it reduces logging, handling the logs, and creates a cleaner log view that allows visual clues of other activity to be easier to see.

0 Kudos