Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

How are the group objects being processed by the policy?

Jump to solution

Somewhat trivial question, but I am interested in the impact the group objects have on policy.

If, for example, we have a single source and a destination comprised of 250 objects, will this result in firewall "creating" 250 virtual rules to process the parent rule?

If the group members are IP addresses, how are they sorted for processing?

If the "last" IP is the one with most hits, does this imply that the preceding objects in the group slowing overall rule processing? 

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

There is a big change in enforcement logic between R77 and R80.10 The latter is briefly viewed here: CCMA's blog: CPET session 2 recording is out there 

But for the purpose your question, the answer is simple. A group is used for either Source or Destination. FW will try to match those fields as they are. That means, it will check if IP address is part of the listed objects. In other words, no "virtual rules", just a simple search to match an IP.

View solution in original post

0 Kudos
2 Replies
Tal_Ben_Avraham
Employee
Employee

Rules containing multiple objects will just contain those objects (without creating multiple virtual rules).

In the multiple addresses example you've mentioned the rule will contain all the 250 addresses. Those will be sorted and compact to ranges.

0 Kudos
_Val_
Admin
Admin

There is a big change in enforcement logic between R77 and R80.10 The latter is briefly viewed here: CCMA's blog: CPET session 2 recording is out there 

But for the purpose your question, the answer is simple. A group is used for either Source or Destination. FW will try to match those fields as they are. That means, it will check if IP address is part of the listed objects. In other words, no "virtual rules", just a simple search to match an IP.

0 Kudos