Check Point has had the ability to import SNORT signatures for some time, and relatively recently added the ability to create Custom Threat Indicators (CTIs). These seem to be two fairly similar functions, so my questions commence:
1) Is one preferred over the other? The information for SNORT seems to have disappeared out of the official documentation guides starting in R80.20, which coincidentally seems to be about when CTIs were added. Is SNORT support on the way out in favor of CTIs?
2) Any time a new SNORT signature or CTI is added/modified/deleted, the immediately following Threat Prevention policy install to the gateway takes a REALLY long time. As in a normal TP policy install takes 15 seconds, but it now takes 3-4 minutes after changing one of these features (policy install time does go back to normal for subsequent operations). Why is this? Is it having to recompile some kind of pattern matching database for TP to integrate the changes?
3) And the elephant in the room of course: gateway performance. SNORT signatures are assigned a default Performance Impact of "High" which normally indicates about 50% handling in the Medium Path and about 50% handling in the undesirable F2F/slowpath. CTIs don't seem to have a Performance Impact rating at all, at least that I can find. While I would imagine neither SNORT nor CTIs can be handled in the fully-accelerated path by SecureXL (which is fine), which paths does traffic subject to SNORT/CTIs protections typically end up in? PXL? CPAS? F2F? Can CTIs be handled by the gateway more efficiently than SNORT signatures which would make them preferable from a gateway performance perspective?
Tagging @PhoneBoy
Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com