This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lior_Shaki
Employee
Employee
‎2016-08-23 09:12 AM
Jump to solution

What is the Maximum number of rules in R80

What is the Maximum number of rules  in R80

0 Kudos
1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor
‎2016-08-25 06:28 AM
Jump to solution

In short - no, there is no limitation on the amount of the rules that a security policy can have. We can observe this in several aspects:

Using the GUI - R80 SmartConsole does not load all the rules in the policy but takes chunks of pages. This allows the user to browse a rulebase without reaching a memory limit.

Install Policy - the policy installation process compiles the policy to GW files. While the more rules you have the longer it will take to install the policy, every policy installation will eventually succeed. R80 brings an improvement to some environments, depending the capabilities of the Management server, by utilizing more of the RAM and cores during policy installation.

Networking - rulebase performance is affected more with broken acceleration templates based on specific capabilities of some rules (time objects, service with resource, etc.) and less with the size of the policy. While the size does introduce a performance impact, it is negligible comparing to the content of actual rules and their placement in policies.

Ease of management - this is where the size of a security policy could matter. The larger your rulebase, the less convenient it will be to organize it and keep its sections structure. Pending R80.10 Gateways, you can prepare your policy for easier management by splitting rulebases to inline and ordered layers, and as a result allow reusable chunks of rules, and control the permission profiles within your policy.

Hope this helps

View solution in original post

4 Replies
Tomer_Sole
Mentor
Mentor
‎2016-08-25 06:28 AM
Jump to solution

In short - no, there is no limitation on the amount of the rules that a security policy can have. We can observe this in several aspects:

Using the GUI - R80 SmartConsole does not load all the rules in the policy but takes chunks of pages. This allows the user to browse a rulebase without reaching a memory limit.

Install Policy - the policy installation process compiles the policy to GW files. While the more rules you have the longer it will take to install the policy, every policy installation will eventually succeed. R80 brings an improvement to some environments, depending the capabilities of the Management server, by utilizing more of the RAM and cores during policy installation.

Networking - rulebase performance is affected more with broken acceleration templates based on specific capabilities of some rules (time objects, service with resource, etc.) and less with the size of the policy. While the size does introduce a performance impact, it is negligible comparing to the content of actual rules and their placement in policies.

Ease of management - this is where the size of a security policy could matter. The larger your rulebase, the less convenient it will be to organize it and keep its sections structure. Pending R80.10 Gateways, you can prepare your policy for easier management by splitting rulebases to inline and ordered layers, and as a result allow reusable chunks of rules, and control the permission profiles within your policy.

Hope this helps

Saul_Goodman
Participant
Participant
‎2022-08-14 09:25 PM
In response to Tomer_Sole
Jump to solution

Is there a reference documentation regarding this 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-08-15 12:49 AM
In response to Saul_Goodman
Jump to solution

We talk to the "Install Policy" portion here amongst other Management topics:

https://www.checkpoint.com/downloads/products/r80.10-security-management-architecture-overview.pdf 


Also the Gateway/Network portion here:

sk98348: Best Practices - Security Gateway Performance - Secton 3-8 Rulebase Optimization

Place most used rules at the top ....

"Note: the new column-based matching of Gateways of version R80.10 and above eliminates this need."


I'm sure there are other references but no single SK that I'm aware of since as Tomer said there is no specific limit to document.

With that said we have published some "guidance" here:

sk178325: Smart-1 6000-L / 6000-XL Sizing Recommendations

CCSM R77/R80/ELITE
0 Kudos
Piet_vd_Maas
Contributor
Contributor
‎2022-08-15 06:36 AM
In response to Tomer_Sole
Jump to solution

There is a limit of 251 inline layers per policy package. See "Policy installation failed on gateway. If the problem persists contact Check Point support (Error c...

CCSM Elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events