This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Solidor
Participant
‎2022-12-23 04:57 AM
Jump to solution

R80.40 NAT performance

Hi,

Actually working on an 23000 Appliance on R80.40.

I'm working on moving up the most used policy rules to help on performance issues we've encountered, and I was wondering about NAT rules.

We have about 1200 NAT rules on the gateway cluster, and some of the most used NAT rules are at the very bottom.

For performance tuning, do I have to move up these NAT rules too ?

Thanks,

Regards

Labels
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
‎2022-12-23 07:24 AM
Jump to solution

Moving up frequently-hit Access Control policy rules will have little effect on rulebase lookup performance in R80.10+ due to the advent of Column-based matching.

NAT rules did pick up a hit counter in R81+, however the position of NAT rules in the policy once again has little impact on NAT rulebase lookup performance in most cases due to the caching of NAT rulebase lookups in a table called fwx_cache.  This table can store up to 10,000 source/dst cached NAT rule matches, so in the case that the cache becomes completely full (fw tab -t fwx_cache -s) additional NAT rule lookups will need to occur, and in that specific case NAT rulebase lookup performance will be improved by moving rules up as the NAT policy matching is still top-down, first fit and not Column-based matching.  So unless you have thousands of NAT rules there is generally little to be gained by moving them up.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

View solution in original post

7 Replies
the_rock
MVP Diamond
MVP Diamond
‎2022-12-23 06:25 AM
Jump to solution

My advice is yes, though technically, from my experience, does not matter whole lot for NAT rules, as it does for access control rules.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-23 07:01 AM
Jump to solution

Rulebase order matters less in R8x releases.
There are a handful of instances where rulebase order still matters…in the access policy…for SecureXL templating purposes.
I don’t believe it matters for NAT rules.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-12-23 07:24 AM
Jump to solution

Moving up frequently-hit Access Control policy rules will have little effect on rulebase lookup performance in R80.10+ due to the advent of Column-based matching.

NAT rules did pick up a hit counter in R81+, however the position of NAT rules in the policy once again has little impact on NAT rulebase lookup performance in most cases due to the caching of NAT rulebase lookups in a table called fwx_cache.  This table can store up to 10,000 source/dst cached NAT rule matches, so in the case that the cache becomes completely full (fw tab -t fwx_cache -s) additional NAT rule lookups will need to occur, and in that specific case NAT rulebase lookup performance will be improved by moving rules up as the NAT policy matching is still top-down, first fit and not Column-based matching.  So unless you have thousands of NAT rules there is generally little to be gained by moving them up.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
Solidor
Participant
‎2022-12-23 07:44 AM
Jump to solution

Thanks for your answers.

My first impression was wrong then, I'm glad I asked on the forum.

I'll keep the shared link on my bookmarks, always interesting to have more details !

the_rock
MVP Diamond
MVP Diamond
‎2022-12-23 07:47 AM
In response to Solidor
Jump to solution

Thats what te forum is all about, mate. By the way, to add to what @PhoneBoy said, though he probably remembers this way better than I do (lol), back in old days of CP, rule orded DID matter (big time actually), specally I would say R65 and before. But, as he mentioned, in R80+, its not overly relevant, though me personally, I like to keep it clean and in order.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-27 08:34 AM
In response to the_rock
Jump to solution

Rulebase order mattered until R8x, specifically because of:

  • Column-based rule matching introduced in R80.10
  • SecureXL templating changes introduced in R80.20

Unless you're using one of the handful of services that can't be templated by SecureXL (traffic must go F2F), access policy rulebase order shouldn't matter.

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2022-12-25 06:57 PM
Jump to solution

Like what @PhoneBoy said yes that is true and I have seen NAT rules close to 2000 and system was functioning well. My 2 cents here since I faced the issue numerous times and helped me a lot is crating a domain UDP object for port 53 and remove sync on cluster from Advanced. Since its a UDP Traffic this is stateless at first place and it does not make any sense syncing the UDP connections on cluster. I always create this object and put the DNS rule on much top

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events