Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

This is an exciting topic:-)
I think that the rules and regulations should be clearly laid out. This is basically a design question.

The unified policy is used for processing rules from R8x onwards.

UF_Policy.jpg

 





 

 

 

The Access Policy is processed in according to:
1) Source IP
2) Destination IP
3) Protocol (TCP, UDP,...)
4) Source port
5) Destination port

And the possible match are always sorted out and processed further. Therefore, policy processing is much faster than with older versions R6x and R7x. Therefore, large sets of rules are no longer so critical. I think there are other points to consider, which may be more time-critical (IPS, AV, ...). 

@_Val_  has a presentation describing the unified policy processing:
"Performance Optimization Part 1 Introduction"

PS:
But I am also a fan of smaller and more manageable rules.


➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
Who rated this post