I'm currently working on a gateway with ~300 rules, trying to follow most of the rulebase best practices (most used rules at the top, grouping similar rules together, ..).
Besides this, I'm looking into automating the ruleset, and I was wondering what would be the performance impact to create one rule per "source, destination, service" tuple -- i.e. not allowing multiple sources, destinations or services in the same rule entry.
For example, the following rule:
source: clients_external, clients_internal, destination: servers, service: https, dns
Would translate into 4 rules:
source: clients_external, destination: servers, service: https
source: clients_external, destination: servers, service: dns
source: clients_internal, destination: servers, service: https
source: clients_internal, destination: servers, service: dns
From an automation point of view, this seems easier to manage. For example, if the "clients_external" group needs to be deleted, we can delete all the rules where it is found, without impacting other flows.
Also, if the service for those clients needs to be replaced, it can be done directly as it won't affect any other client.
My main concern here is the performance of the gateway. A rulebase with 300 rules could easily expand to 2k rules, so there's a risk. I'm wondering if the SmartCenter is doing some kind of optimization while it's installing the policy on the gateways..
Does anyone have an idea? Or maybe tested this in a lab?
Thanks in advance,