This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vengatesh_SR
Contributor
‎2019-02-25 10:42 AM

Maximum Policy Number's.

Hi Guys,

We have 5600-NGTP device, we need to what is the maximum rule number can you added or supported by this firewall. And is the anyway to check for other devices also.

I have gone through the datasheet but unable to get it.

We are concerning it because we are already in the middle amount of CPU and memory usage of this firewall's. We are worried to add more rule on it.

Since this device is placed on the Service provider network so we already crossed more than 1950 rule's but still we are having the requirement's add the rule's.

Regards,

Vengatesh SR

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-02-25 07:34 PM

There is no specific limit to the number of rules you can run on any of our appliances.

That said, if you have ~2k rules, managing the rulebase can become problematic.

It's likely you may have some duplicate or redundant rules or can combine some rules.

Also, types and order of rules will have more of a CPU impact than the number of rules.

General performance troubleshooting steps are probably in order.

You can start here: Best Practices - Security Gateway Performance 

You may also benefit from a SmartOptimize exercise with Check Point Professional Services.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-02-26 05:58 AM

there is also another way to make these type of policies more readable and les error prone, that would be by using layers, you say you are running this box in an ISP environment. When you can start with grouping specific networks' access to other networks, you could create a layerbeneath that contraolling what they are allowed to do to each other in more detail.

This way you can create multiple main rules and multiple inline layers controlling the details per specific access group.

In these type of policies that is mostly the best way to improve the readability and prevent errors.

An example could be: main rule allow internet access to a DMZ network on a group of services, in the inline layer you can the allow any to smtp server with service  SMTP, allow any to the webserver with http and https.

Regards, Maarten
0 Kudos
HeikoAnkenbrand
Champion
Champion
‎2019-03-10 03:31 AM

If you use more then 2K-3K rules, the performance goes down with smaller appliances.

I would work with subsequence rules here at R80+.

With so many rules, I'd think about your rule design, too. If necessary, you should simplify the ruleset.


➜ CCSM Elite, CCME, CCTE
0 Kudos