Hi

inside one domain /CMA: one gateway cluster out of 5 cluster.

Other domains do have Global Policy approach.

Regards

Hello.

This is Korea. I am a 9 year cp engineer. About 5-7 years ago, I saw a customer using about 8300 rules. The install policy time took too long, so the veryfing feature was removed, and after a while, the customer was informed that they had changed to fortigate. Even now, among the customers I care for, there are customers who use more than 3000 rules. If the network is large, there will be a lot more customers who use the rules more than you think. In my opinion, security officers don't organize rules and just add rules by host. So there's a problem.

Well said @Magnus-Holmberg 

Hi

Thanks for your valuable and reasonable input.

The (external) requirements and my personal preference and experience are not always the same 🙂

Thanks again!

Regards

Just had a look into a public available data sheet of a competitor and there is 65000 lines mentioned. Wondering why CheckPoint can't provide meaningful datasheet (with limits routing table size/ max numbers). But this is a different thread.

I would advise to take those competitive references with a grain of salt. There are plenty of use cases, when very granular access lists with tens of thousands of entries can be replaced with a single security policy rule 🙂 With more rules, you do not necessarily have better security. Sometimes, it is actually the opposite. One funny example of that was a customer who tried to reverse-engineer the access policies based on traffic logs. They ended up with several thousands of rules, but the cleanup was kept "any-any-access" for almost a decade. 

For the external requirements, I have seen that a lot, and even there, there are ways to keep the actual policies reasonably sized. @Magnus-Holmberg has provided a very good example above

This is an exciting topic:-)
I think that the rules and regulations should be clearly laid out. This is basically a design question.

The unified policy is used for processing rules from R8x onwards.

The Access Policy is processed in according to:
1) Source IP
2) Destination IP
3) Protocol (TCP, UDP,...)
4) Source port
5) Destination port

And the possible match are always sorted out and processed further. Therefore, policy processing is much faster than with older versions R6x and R7x. Therefore, large sets of rules are no longer so critical. I think there are other points to consider, which may be more time-critical (IPS, AV, ...). 

@_Val_  has a presentation describing the unified policy processing:
"Performance Optimization Part 1 Introduction"

PS:
But I am also a fan of smaller and more manageable rules.

@HeikoAnkenbrand, you know my urge to add to your statements 🙂

You said: "Therefore, large sets of rules are no longer so critical." 

Just a small clarification here. Size still matters. It is true that policy lookup logic in R8x has been changed, and it allows more effective lookup through the rules, but larger the policy, more CPU cycles will still be done. 

I was going to comment on this too, but for sake of keeping it "clean", I wont...but made me laugh though : - )

Very interesting topic. I was wondering how could you go down from 2k to 300 rules? I mean for core services like dns, dhcp, mail etc you would use groups and open for all networks. So this is quite efficient and should not generate lots of rules.

However when it comes to server to server communication and if company has let's say 500 of them, naturally number of rules goes up very quickly, unless firewall is filtering only between high level zones and further restrictions comes down to individual server to deny/allow in their local firewall.

In short, unless policy was extremely inefficient, it is hard to imagine how you can reduce number of rules so significantly in fairly big environment.

Well, I get your argument, but grouping in case like that is the key. This is why CP approach in R80+ with layered rules makes sense, as that allows people to create "parent layered rules" based on the zones and its way more secure that way than pre R80. In all honesty, as @Magnus-Holmberg said in this thread, if you have thousands of rules, you have way bigger problems with your design.

What are you trying to say? 

in the case I mentioned, their security admin was creating two rules per remote office, one inbound, one outbound. 1000 remote offices resulted in 2000 basically identical rules that could be replaced with only two. They had some other reasonable requirements that ended up with less that 300 rules after optimization. 

grouping, as other people already mentioned 

My point is that 2k > 300 seems impressive, however without explanation is just nice figures. People here having thousands of rules might be thinking they are doing something wrong.

1000 offices having separate rules is quite an extreme situation. I wish I had so much room for improvement 🙂 Thanks for sharing background information about this case.

Depending on the network design, security requirements and policy management routines in place, they may or may not do something wrong. I stress again, with rulebases of 500 rules and up, especially if you are not using inline layers, you should seriously consider an optimization exercise and also question your policy logics. 

This statement is based on 20+ years of personal experience with various customers in all types of industries, around the globe.

I will tell you even more. Lack of periodical cleanup, outdated rules, "reverse engineered" policies when customers try building rules based on traffic logs are the worst enemies of policy optimization. Another reason is having a huge core FW serving many security zones at once, instead breaking it down into "smaller" virtual GWs.

And now the small print. @abihsot__ , the company you are working for now was my customer for a decade, and during that time was not having huge policies on their FWs. I sincerely hope that did not change recently 🙂