Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

Firewall rules optimization for CPU and Network throughput

Hi.

This is a tricky question.

What would be the best option to reduce resource usage(CPU usage, throughput) on Checkpoint gateways, while grouping rules? Let me show you an example of a rule where multiple servers consume web APIs/data.

  • 1 rule with all hosts listed as source(thats how he have this rule today inside a Layer - Rule 21.3)
  • 1 rule, all hosts inside a group object, that object as source of the rule
  • 1 rule per source. This makes sense since those hosts access the internet at different rates/bandwidth so, hit count is not equal/balanced among them, but does not make sense if we think top-down rule precedence overhead 

 

FWRULES.JPG

 

What is the best option here?

0 Kudos
1 Reply
Highlighted
Champion
Champion

For an R77.30 and R80.10 gateway your first two options end up doing exactly the same thing as far as rulebase lookup overhead, as all groups are expanded out in the compiled INSPECT policy sent to the gateway.

On an R77.30 gateway the third option will cause slightly more rulebase lookup overhead assuming the connections associated with that rule are not able to be templated by SecureXL, due to the top-down, first-fit nature of rulebase lookups in that version.

On an R80.10+ gateway the additional rulebase lookup overhead for option 3 will be negligible, even if the connection can't be templated by SecureXL due to the Column-Based Matching approach to rulebase evaluation used in that version.

If you are on R80.10+ gateway, go with whatever option makes the most sense to you and provides the logging/hit count visibility that you need.

Edit: As far as network throughput, all options are equal.

 

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos