This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Vengatesh_SR
Contributor
‎2019-02-25 10:42 AM

Maximum Policy Number's.

Hi Guys,

We have 5600-NGTP device, we need to what is the maximum rule number can you added or supported by this firewall. And is the anyway to check for other devices also.

I have gone through the datasheet but unable to get it.

We are concerning it because we are already in the middle amount of CPU and memory usage of this firewall's. We are worried to add more rule on it.

Since this device is placed on the Service provider network so we already crossed more than 1950 rule's but still we are having the requirement's add the rule's.

Regards,

Vengatesh SR

0 Kudos
Reply
3 Replies
PhoneBoy
Admin
Admin
‎2019-02-25 07:34 PM

There is no specific limit to the number of rules you can run on any of our appliances.

That said, if you have ~2k rules, managing the rulebase can become problematic.

It's likely you may have some duplicate or redundant rules or can combine some rules.

Also, types and order of rules will have more of a CPU impact than the number of rules.

General performance troubleshooting steps are probably in order.

You can start here: Best Practices - Security Gateway Performance 

You may also benefit from a SmartOptimize exercise with Check Point Professional Services.

0 Kudos
Reply
Maarten_Sjouw
Champion
Champion
‎2019-02-26 05:58 AM

there is also another way to make these type of policies more readable and les error prone, that would be by using layers, you say you are running this box in an ISP environment. When you can start with grouping specific networks' access to other networks, you could create a layerbeneath that contraolling what they are allowed to do to each other in more detail.

This way you can create multiple main rules and multiple inline layers controlling the details per specific access group.

In these type of policies that is mostly the best way to improve the readability and prevent errors.

An example could be: main rule allow internet access to a DMZ network on a group of services, in the inline layer you can the allow any to smtp server with service  SMTP, allow any to the webserver with http and https.

Regards, Maarten
0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion
‎2019-03-10 03:31 AM

If you use more then 2K-3K rules, the performance goes down with smaller appliances.

I would work with subsequence rules here at R80+.

With so many rules, I'd think about your rule design, too. If necessary, you should simplify the ruleset.

0 Kudos
Reply