This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Roshan_Sinha
Explorer
‎2021-08-17 04:25 AM

what makes firewall performance down

Hi Team,

this is just for general information, that from below, what makes firewall performance degrade, and what will be best practice to configure firewall rules:

> Configuring specific /32 source host IP and specific /32 host destination IP  or 

> Configuring specific server subnet /24  as source and /32 as destination.

 

 

 

0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-08-17 05:08 AM

Short Answer: I don't think it will make a meaningful difference in performance.

Long Answer: I assume you would need multiple instances of the first /32 /32 rule as compared to the second rule, which would increase the size of your rulebase.  Normally you'd want the rulebase to be as short as possible for optimization purposes, but performance-wise this doesn't matter nearly as much as it used to due to the introduction of column-based matching in R80.10.  Technically it would be best to keep your destination columns as specific as possible (especially trying to avoid using "Any" in that field), as column-based matching looks at the Destination column in the first round of matching, and can "throw out" many more non-matching rules in that first round if the Destination columns are as specific as possible, and have far fewer rules to look at during round 2 (source IP) and round 3 (destination port).

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
_Val_
Admin
Admin
‎2021-08-17 05:38 AM
In response to Timothy_Hall

adding to @Timothy_Hall , having less rules is always better from the performance perspective. For a single rule, it does not matter if you use a subnet, a group of host objects or just list all those hosts in the rule. That said, you also need to consider your own administrative effort to build this rule.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events