I noticed at work that we might not be following best practices for global rules hence the reason for this post. We have multiple CMAs for different regions. One for example is Europe and the other Asia. I noticed that the there are global rules setup for common domain controllers however the sources are defined as all global Europe and Asia networks going to a global DC group . Although everything works, this does not seem right to me. The firewall from Europe will check every packet arriving and waste resources trying to match the traffic to networks that do not exist behind it. Let's say that a packet arrives destine for LDAP, the firewall will still look up all the sources [both Europe/Asia] to attempt a match when it really just needs to look up Europe networks.
Hope this makes sense so far.
The other one that I noticed is that we have two almost identical global rules. One has Asia networks as source and a mix of both Asia/Europe destination hosts. The other is the exact same but using Europe as the source. If rules are processed in order, this means that my Europe CMA firewalls will process the traffic against the first global rule which it will never match and then check it against the rule that is destine for its networks. This again is wasting resources.
My thoughts here and what I am thinking of suggesting is the following. Instead of sharing a single common global policy, only use the global groups. Separate the sites and use global groups within the CMAs where common hosts exists for both regions and not a shared rule in a global policy if part of the sources or destinations will never be matched. This to me seems like a better approach.
Sorry for the long post. Please let me know if more clarifications need to be provided.