cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
NOC_TBL
Ivory

Firewall rules optimization for CPU and Network throughput

Hi.

This is a tricky question.

What would be the best option to reduce resource usage(CPU usage, throughput) on Checkpoint gateways, while grouping rules? Let me show you an example of a rule where multiple servers consume web APIs/data.

  • 1 rule with all hosts listed as source(thats how he have this rule today inside a Layer - Rule 21.3)
  • 1 rule, all hosts inside a group object, that object as source of the rule
  • 1 rule per source. This makes sense since those hosts access the internet at different rates/bandwidth so, hit count is not equal/balanced among them, but does not make sense if we think top-down rule precedence overhead 

 

FWRULES.JPG

 

What is the best option here?

0 Kudos
1 Reply

Re: Firewall rules optimization for CPU and Network throughput

For an R77.30 and R80.10 gateway your first two options end up doing exactly the same thing as far as rulebase lookup overhead, as all groups are expanded out in the compiled INSPECT policy sent to the gateway.

On an R77.30 gateway the third option will cause slightly more rulebase lookup overhead assuming the connections associated with that rule are not able to be templated by SecureXL, due to the top-down, first-fit nature of rulebase lookups in that version.

On an R80.10+ gateway the additional rulebase lookup overhead for option 3 will be negligible, even if the connection can't be templated by SecureXL due to the Column-Based Matching approach to rulebase evaluation used in that version.

If you are on R80.10+ gateway, go with whatever option makes the most sense to you and provides the logging/hit count visibility that you need.

Edit: As far as network throughput, all options are equal.

 

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos