This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Not applicable
‎2016-08-27 10:41 AM
Jump to solution

How will layers impact policy performance?

If a rule does not match a parent rule, will the gateway still go over the child rules in the layer?

I might be using wrong teminology, so ill explain using an example:

Source                                   Destination                                   Action

1. management_net               CP_Hosts                                    Mgmt_layer

     1.1 robert's pc                   HQ_XL                                        accept

     1.2 steven's pc                 R80_CMA                                    accept

     1.3 IT_Net                         R80_CMA                                    accept

     1.4 any                              any                                               deny

2.DC_Net                              DC_Net                                        DC_internal_layer

     2.2 SAP_Net                    SAP_Net                                      accept

     2.3 any                              any                                               deny

Lets say a packet that fits the layer in rule number 2 arrives at the gateway, will it still go over 1.1 & 1.2 & 1.3 and so on, or will it just skip the entire layer if it does not match the parent rule?

If it does skip the layer if it does not match the parent rule, how much of an imporvement in performance can we expect to see?

Thank you.

1 Solution

Accepted Solutions
Limor_Ganon
Employee Alumnus
Employee Alumnus
‎2016-09-05 09:06 AM
Jump to solution

Hi,

In your example, a packet that supposed to match rule #2 will be evaluated against rule #1, won't be evaluated against 1.1-1.4 and then will be evaluated (and matched) to rule #2.

Regarding performance improvement - the question is compare to what?

If you mean that in the past all rules were evaluated and now only the parent rules, so the answer will be that it really depends on the rules in the inline layer and what's their performance impact...

Hope this answers your question.

View solution in original post

0 Kudos
2 Replies
Eyal_Rashelbach
Employee
Employee
‎2016-09-05 06:54 AM
Jump to solution

Please refer to the comprehensive layers review  in the following thread:
Layers in R80

I hope it will cover all your needs

0 Kudos
Limor_Ganon
Employee Alumnus
Employee Alumnus
‎2016-09-05 09:06 AM
Jump to solution

Hi,

In your example, a packet that supposed to match rule #2 will be evaluated against rule #1, won't be evaluated against 1.1-1.4 and then will be evaluated (and matched) to rule #2.

Regarding performance improvement - the question is compare to what?

If you mean that in the past all rules were evaluated and now only the parent rules, so the answer will be that it really depends on the rules in the inline layer and what's their performance impact...

Hope this answers your question.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top