This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jin_Zhou
Contributor
‎2018-06-07 08:53 AM

What would be an impact for a large number of network objects to a CMA and gateways?

Hi,

We currently have about 8000 network objects and look for adding up to additional 70,000 host objects. What kind of impact are we expecting? Can someone share experience on the largest number of network objects they been working with in their system?

Thanks.

8 Replies
PhoneBoy
Admin
Admin
‎2018-06-08 11:13 AM

I've seen issues when you start working with more than, say, 100k network objects (specifically with SmartConsole).

Gateways shouldn't have an issue since they are getting a compiled version of the policy.

My question: why so many objects?

Because with that many objects, I can't imagine the policy is easy to maintain.

There are also probably a number of duplicates.

0 Kudos
Jin_Zhou
Contributor
‎2018-06-08 11:33 AM
In response to PhoneBoy

Say we want to whitelist a large number of internet hosts temporarily. The policy management shouldn't be an issue. I would just put those hosts in a group. My concern is the policy installation time and performance impact on the gateways. BTW we have 80.10 CMAs but most gateways are still on R77.30. On what version do you see the problem and what kind of problem? Thx.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-08 12:05 PM
In response to Jin_Zhou

The gateways should be a non-factor here.

I've seen tens of thousands of network objects in use across many Check Point Security Management versions (including R80.10).

Where I've observed issues in some installations was in R80.10 when automation was used to create a large number of objects (over 100k, don't remember the exact limit).

The issues were with SmartConsole in particular.

0 Kudos
Jin_Zhou
Contributor
‎2018-06-08 01:32 PM
In response to PhoneBoy

Thanks. I am using mgmt._cli to batch add and set objects. It does give me inconsistent results in our lab.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-08 02:23 PM
In response to Jin_Zhou

If you create thousands of objects before doing the commit action, you will see inconsistent results.

If you create them in batches of, say, 500, and perform a commit action on each batch, the results should be more consistent.

0 Kudos
Jin_Zhou
Contributor
‎2018-06-11 06:09 AM
In response to PhoneBoy

It does sound like that. Is there any way in batch mode to tell it to commit at certain interval? Or I have to break down .csv file to do it with my own script. Thanks.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-11 09:09 AM
In response to Jin_Zhou

You have to do it manually.

Note that there is a limit to the size of CSV file we support.

I don't remember the exact numbers offhand, but if you break it down in roughly 500 line chunks, you should see more consistent results. 

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-06-09 11:00 PM

R80.10 SmartConsole is built to scale. Pre-R80 the GUI would load all network objects, no matter how many there are, during the "login". With R80 lightweight communication, SmartConsole only has in its RAM the objects that you see on your screen. https://community.checkpoint.com/thread/5494-did-you-know-lightweight-communication-from-smartconsol... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events