cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Jin_Zhou
Nickel

What would be an impact for a large number of network objects to a CMA and gateways?

Hi,

We currently have about 8000 network objects and look for adding up to additional 70,000 host objects. What kind of impact are we expecting? Can someone share experience on the largest number of network objects they been working with in their system?

Thanks.

8 Replies
Admin
Admin

Re: What would be an impact for a large number of network objects to a CMA and gateways?

I've seen issues when you start working with more than, say, 100k network objects (specifically with SmartConsole).

Gateways shouldn't have an issue since they are getting a compiled version of the policy.

My question: why so many objects?

Because with that many objects, I can't imagine the policy is easy to maintain.

There are also probably a number of duplicates.

0 Kudos
Jin_Zhou
Nickel

Re: What would be an impact for a large number of network objects to a CMA and gateways?

Say we want to whitelist a large number of internet hosts temporarily. The policy management shouldn't be an issue. I would just put those hosts in a group. My concern is the policy installation time and performance impact on the gateways. BTW we have 80.10 CMAs but most gateways are still on R77.30. On what version do you see the problem and what kind of problem? Thx.

0 Kudos
Admin
Admin

Re: What would be an impact for a large number of network objects to a CMA and gateways?

The gateways should be a non-factor here.

I've seen tens of thousands of network objects in use across many Check Point Security Management versions (including R80.10).

Where I've observed issues in some installations was in R80.10 when automation was used to create a large number of objects (over 100k, don't remember the exact limit).

The issues were with SmartConsole in particular.

0 Kudos
Jin_Zhou
Nickel

Re: What would be an impact for a large number of network objects to a CMA and gateways?

Thanks. I am using mgmt._cli to batch add and set objects. It does give me inconsistent results in our lab.

0 Kudos
Admin
Admin

Re: What would be an impact for a large number of network objects to a CMA and gateways?

If you create thousands of objects before doing the commit action, you will see inconsistent results.

If you create them in batches of, say, 500, and perform a commit action on each batch, the results should be more consistent.

0 Kudos
Jin_Zhou
Nickel

Re: What would be an impact for a large number of network objects to a CMA and gateways?

It does sound like that. Is there any way in batch mode to tell it to commit at certain interval? Or I have to break down .csv file to do it with my own script. Thanks.

0 Kudos
Admin
Admin

Re: What would be an impact for a large number of network objects to a CMA and gateways?

You have to do it manually.

Note that there is a limit to the size of CSV file we support.

I don't remember the exact numbers offhand, but if you break it down in roughly 500 line chunks, you should see more consistent results. 

0 Kudos

Re: What would be an impact for a large number of network objects to a CMA and gateways?

R80.10 SmartConsole is built to scale. Pre-R80 the GUI would load all network objects, no matter how many there are, during the "login". With R80 lightweight communication, SmartConsole only has in its RAM the objects that you see on your screen.  

0 Kudos