Create a Post
Showing results for 
Search instead for 
Did you mean: 

Security Policy optimisation

Hello All


This is a quick question: I am faced with an issue of where to place Identity Awareness policy rule in the security policy on the management server?

I was under the impression that since this rule has the most hit count, it need to be placed towards the top of the rule base, but I was advised this rule, need to be placed towards the bottom of the rule base since it requires more processing because it utilises the firewall hold limit queue. Reason being not to affect the connection table. Any help on this issue will be well appreciated.


Kind regards.

Gladstone Abati-George


0 Kudos
2 Replies


I think this question should be moved into Management section, not here.

Regarding the question, it depends. Can you show us Rule itself? Who suggested you to make this kind rule changes, R&D? Maybe they found some specific details. We need more information regarding this case.



0 Kudos

Moving rules with high hit counts further up in the rulebase was a longstanding recommendation to help reduce the CPU overhead of rule base lookups in R77.30 gateway and earlier.  However due to the new Column-based matching feature which is enabled by default in R80.10+ gateway, moving frequently-hit rules towards the top of the policy provides only minimal gains and is probably not worth your time to pursue.

For known users the gateway already has a user to IP mapping in its cache (along with group memberships) by the time a user's traffic reaches the gateway, so I don't see why moving a rule utilizing an IA access role downwards would be a recommendation here unless you are also using something like Domain objects in the same rule or perhaps invoking the Captive Portal.


New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at
0 Kudos