This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gladstone_Abati
Explorer
‎2019-08-23 02:14 AM

Security Policy optimisation

Hello All

 

This is a quick question: I am faced with an issue of where to place Identity Awareness policy rule in the security policy on the management server?

I was under the impression that since this rule has the most hit count, it need to be placed towards the top of the rule base, but I was advised this rule, need to be placed towards the bottom of the rule base since it requires more processing because it utilises the firewall hold limit queue. Reason being not to affect the connection table. Any help on this issue will be well appreciated.

 

Kind regards.

Gladstone Abati-George

 

0 Kudos
2 Replies
Vato_Chantladze
Contributor
Contributor
‎2019-08-23 03:21 AM

Hi!

I think this question should be moved into Management section, not here.

Regarding the question, it depends. Can you show us Rule itself? Who suggested you to make this kind rule changes, R&D? Maybe they found some specific details. We need more information regarding this case.

BR

Vato

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-08-23 07:26 AM

Moving rules with high hit counts further up in the rulebase was a longstanding recommendation to help reduce the CPU overhead of rule base lookups in R77.30 gateway and earlier.  However due to the new Column-based matching feature which is enabled by default in R80.10+ gateway, moving frequently-hit rules towards the top of the policy provides only minimal gains and is probably not worth your time to pursue.

For known users the gateway already has a user to IP mapping in its cache (along with group memberships) by the time a user's traffic reaches the gateway, so I don't see why moving a rule utilizing an IA access role downwards would be a recommendation here unless you are also using something like Domain objects in the same rule or perhaps invoking the Captive Portal.

 

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events