- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi Guys,
We have 5600-NGTP device, we need to what is the maximum rule number can you added or supported by this firewall. And is the anyway to check for other devices also.
I have gone through the datasheet but unable to get it.
We are concerning it because we are already in the middle amount of CPU and memory usage of this firewall's. We are worried to add more rule on it.
Since this device is placed on the Service provider network so we already crossed more than 1950 rule's but still we are having the requirement's add the rule's.
Regards,
Vengatesh SR
There is no specific limit to the number of rules you can run on any of our appliances.
That said, if you have ~2k rules, managing the rulebase can become problematic.
It's likely you may have some duplicate or redundant rules or can combine some rules.
Also, types and order of rules will have more of a CPU impact than the number of rules.
General performance troubleshooting steps are probably in order.
You can start here: Best Practices - Security Gateway Performance
You may also benefit from a SmartOptimize exercise with Check Point Professional Services.
there is also another way to make these type of policies more readable and les error prone, that would be by using layers, you say you are running this box in an ISP environment. When you can start with grouping specific networks' access to other networks, you could create a layerbeneath that contraolling what they are allowed to do to each other in more detail.
This way you can create multiple main rules and multiple inline layers controlling the details per specific access group.
In these type of policies that is mostly the best way to improve the readability and prevent errors.
An example could be: main rule allow internet access to a DMZ network on a group of services, in the inline layer you can the allow any to smtp server with service SMTP, allow any to the webserver with http and https.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY