Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lior_Shaki
Employee
Employee
Jump to solution

What is the Maximum number of rules in R80

What is the Maximum number of rules  in R80

0 Kudos
1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

In short - no, there is no limitation on the amount of the rules that a security policy can have. We can observe this in several aspects:

Using the GUI - R80 SmartConsole does not load all the rules in the policy but takes chunks of pages. This allows the user to browse a rulebase without reaching a memory limit.

Install Policy - the policy installation process compiles the policy to GW files. While the more rules you have the longer it will take to install the policy, every policy installation will eventually succeed. R80 brings an improvement to some environments, depending the capabilities of the Management server, by utilizing more of the RAM and cores during policy installation.

Networking - rulebase performance is affected more with broken acceleration templates based on specific capabilities of some rules (time objects, service with resource, etc.) and less with the size of the policy. While the size does introduce a performance impact, it is negligible comparing to the content of actual rules and their placement in policies.

Ease of management - this is where the size of a security policy could matter. The larger your rulebase, the less convenient it will be to organize it and keep its sections structure. Pending R80.10 Gateways, you can prepare your policy for easier management by splitting rulebases to inline and ordered layers, and as a result allow reusable chunks of rules, and control the permission profiles within your policy.

Hope this helps

View solution in original post

4 Replies
Tomer_Sole
Mentor
Mentor

In short - no, there is no limitation on the amount of the rules that a security policy can have. We can observe this in several aspects:

Using the GUI - R80 SmartConsole does not load all the rules in the policy but takes chunks of pages. This allows the user to browse a rulebase without reaching a memory limit.

Install Policy - the policy installation process compiles the policy to GW files. While the more rules you have the longer it will take to install the policy, every policy installation will eventually succeed. R80 brings an improvement to some environments, depending the capabilities of the Management server, by utilizing more of the RAM and cores during policy installation.

Networking - rulebase performance is affected more with broken acceleration templates based on specific capabilities of some rules (time objects, service with resource, etc.) and less with the size of the policy. While the size does introduce a performance impact, it is negligible comparing to the content of actual rules and their placement in policies.

Ease of management - this is where the size of a security policy could matter. The larger your rulebase, the less convenient it will be to organize it and keep its sections structure. Pending R80.10 Gateways, you can prepare your policy for easier management by splitting rulebases to inline and ordered layers, and as a result allow reusable chunks of rules, and control the permission profiles within your policy.

Hope this helps

Saul_Goodman
Participant
Participant

Is there a reference documentation regarding this 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

We talk to the "Install Policy" portion here amongst other Management topics:

https://www.checkpoint.com/downloads/products/r80.10-security-management-architecture-overview.pdf 


Also the Gateway/Network portion here:

sk98348: Best Practices - Security Gateway Performance - Secton 3-8 Rulebase Optimization

Place most used rules at the top ....

"Note: the new column-based matching of Gateways of version R80.10 and above eliminates this need."


I'm sure there are other references but no single SK that I'm aware of since as Tomer said there is no specific limit to document.

With that said we have published some "guidance" here:

sk178325: Smart-1 6000-L / 6000-XL Sizing Recommendations

CCSM R77/R80/ELITE
0 Kudos
Piet_vd_Maas
Contributor

There is a limit of 251 inline layers per policy package. See "Policy installation failed on gateway. If the problem persists contact Check Point support (Error c...

CCSE - CCVS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events