This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Frederic_Mereu1
Explorer
‎2019-11-27 03:41 AM
Jump to solution

Impact of rulebase size on gateway performance

Good afternoon,

I'm currently working on a gateway with ~300 rules, trying to follow most of the rulebase best practices (most used rules at the top, grouping similar rules together, ..).

Besides this, I'm looking into automating the ruleset, and I was wondering what would be the performance impact to create one rule per "source, destination, service" tuple -- i.e. not allowing multiple sources, destinations or services in the same rule entry.

For example, the following rule:

source: clients_external, clients_internal, destination: servers, service: https, dns

Would translate into 4 rules:

source: clients_external, destination: servers, service: https
source: clients_external, destination: servers, service: dns
source: clients_internal, destination: servers, service: https
source: clients_internal, destination: servers, service: dns

From an automation point of view, this seems easier to manage. For example, if the "clients_external" group needs to be deleted, we can delete all the rules where it is found, without impacting other flows.
Also, if the service for those clients needs to be replaced, it can be done directly as it won't affect any other client.

My main concern here is the performance of the gateway. A rulebase with 300 rules could easily expand to 2k rules, so there's a risk. I'm wondering if the SmartCenter is doing some kind of optimization while it's installing the policy on the gateways..

Does anyone have an idea? Or maybe tested this in a lab?

Thanks in advance,
Frederic.

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2019-11-27 11:43 AM
Jump to solution

 
Here are rulebase optimization tips:

- Refer to  R80.x - Security Gateway Architecture (Logical Packet Flow) to allow more connections to be accelerated by SecureXL "Fast Path" or "Medium Path".
- Place most used rules at the top - use the Hit Count in the SmartDashboard 
- Reduce the number of rules.
- Use optimized  inline layer rules / policys (it is faster:-)
- Optimize Unified Policy. You can easily create access policies which combine capabilities of blades such as traditional FireWall, Application Control, Content Awareness, Mobile Access and more.
- Reduce internal Threat Prevention traffic.
- and and and

More for performance tuning read here:

- R80.x - Top 20 Gateway Tuning Tips 
- R80.x Architecture and Performance Tuning - Link Collection
- Performance Tuning R80.10 Administratio Guide
- Performance Tuning R80.20 Administration Guide
- Performance Tuning R80.30 Administration Guide
- Best Practices - Security Gateway Performance 

My personal opinion:

With more than 1000 rules you should think about the concept and simplify and minimize rules. Nobody will understand the ruleset anyway. 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

7 Replies
Nick_Doropoulos
Advisor
‎2019-11-27 07:20 AM
Jump to solution

Hi Frederic,

You are right to be concerned with a potentially dramatic increase in the number of firewall rules as that will ultimately lead to more rule-base lookups and degraded performance. To avoid going down that path, I would urge that you tweak your automation tool as much as possible to avoid creating extra rules without a need. For example, the following rules...

source: clients_external, destination: servers, service: https
source: clients_external, destination: servers, service: dns
source: clients_internal, destination: servers, service: https
source: clients_internal, destination: servers, service: dns

should be two rules:

source: clients_external, destination: servers, service: dns, https
source: clients_internal, destination: servers, service: https, dns

If it is an R80.x firewall you are working on, make use of inline and ordered layers as wisely as possible and ensure that you avoid the use of "any" in the source and destination columns as much as possible.

I hope this helps.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-11-27 10:46 AM
Jump to solution

I would also be concerned about the time it takes to compile the policy when you have thousands of rules, not to mention viewing it in SmartConsole.
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-11-27 11:43 AM
Jump to solution

 
Here are rulebase optimization tips:

- Refer to  R80.x - Security Gateway Architecture (Logical Packet Flow) to allow more connections to be accelerated by SecureXL "Fast Path" or "Medium Path".
- Place most used rules at the top - use the Hit Count in the SmartDashboard 
- Reduce the number of rules.
- Use optimized  inline layer rules / policys (it is faster:-)
- Optimize Unified Policy. You can easily create access policies which combine capabilities of blades such as traditional FireWall, Application Control, Content Awareness, Mobile Access and more.
- Reduce internal Threat Prevention traffic.
- and and and

More for performance tuning read here:

- R80.x - Top 20 Gateway Tuning Tips 
- R80.x Architecture and Performance Tuning - Link Collection
- Performance Tuning R80.10 Administratio Guide
- Performance Tuning R80.20 Administration Guide
- Performance Tuning R80.30 Administration Guide
- Best Practices - Security Gateway Performance 

My personal opinion:

With more than 1000 rules you should think about the concept and simplify and minimize rules. Nobody will understand the ruleset anyway. 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Zoltan_Polowsky
Participant
‎2019-11-27 12:13 PM
In response to HeikoAnkenbrand
Jump to solution

I would like a SK over R80 rulebase optimization from Check Point.

HeikoAnkenbrand
Champion Champion
Champion
‎2019-11-27 12:18 PM
In response to Zoltan_Polowsky
Jump to solution

👍

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
PhoneBoy
Admin
Admin
‎2019-11-27 01:39 PM
In response to Zoltan_Polowsky
Jump to solution

There's a section in the R80.30 Next Generation Security Gateway Guide called Best Practices for Access Control Rules that covers this exact topic.
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_NextGenSecurityGateway_Guide...
0 Kudos
Shannon_Diotte
Participant
‎2019-12-02 06:30 AM
Jump to solution

I'm curious what the thoughts are on performance impact with the R80 column-based rule matching architecture.  I didn't see any reference to it when talking about a large rulebase and performance.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events