It's Here!
CPX 360 2021 Content
Check Point Harmony
Highest Level of Security for Remote Users
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
Advanced Protection for
Small and Medium Business
Secure Endpoints from
the Sunburst Attack
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi Guys,
We have 5600-NGTP device, we need to what is the maximum rule number can you added or supported by this firewall. And is the anyway to check for other devices also.
I have gone through the datasheet but unable to get it.
We are concerning it because we are already in the middle amount of CPU and memory usage of this firewall's. We are worried to add more rule on it.
Since this device is placed on the Service provider network so we already crossed more than 1950 rule's but still we are having the requirement's add the rule's.
Regards,
Vengatesh SR
PhoneBoy
There is no specific limit to the number of rules you can run on any of our appliances.
That said, if you have ~2k rules, managing the rulebase can become problematic.
It's likely you may have some duplicate or redundant rules or can combine some rules.
Also, types and order of rules will have more of a CPU impact than the number of rules.
General performance troubleshooting steps are probably in order.
You can start here: Best Practices - Security Gateway Performance
You may also benefit from a SmartOptimize exercise with Check Point Professional Services.
Maarten_Sjouw
there is also another way to make these type of policies more readable and les error prone, that would be by using layers, you say you are running this box in an ISP environment. When you can start with grouping specific networks' access to other networks, you could create a layerbeneath that contraolling what they are allowed to do to each other in more detail.
This way you can create multiple main rules and multiple inline layers controlling the details per specific access group.
In these type of policies that is mostly the best way to improve the readability and prevent errors.
An example could be: main rule allow internet access to a DMZ network on a group of services, in the inline layer you can the allow any to smtp server with service SMTP, allow any to the webserver with http and https.
HeikoAnkenbrand
If you use more then 2K-3K rules, the performance goes down with smaller appliances.
I would work with subsequence rules here at R80+.
With so many rules, I'd think about your rule design, too. If necessary, you should simplify the ruleset.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY