1. Home
  2. Networking Firewalls
  3. Optimizing rule base on Checkpoint Firewalls

Optimizing rule base on Checkpoint Firewalls

Hi everyone,

I'm managing some firewalls for our corporate lan and I'm trying to optmize the current rulebase in order to have better performance and simplify the management task.

Actually we have 4 different firewalls (Checkpoint NG with AI), 2 for perimetral security and the other 2 for intranet security and we are using a total of 85 rules (some of them are applied only to specific firewalls while others are applied to all the systems). All this is managed from a central Management console.

I'd like to know how checkpoint work through the rulebase. I already know that they are checked sequentially until a rule is matched, but i need more information to fine-tune this process.

1) is it possible/advisable to define different policy packages for different firewalls and work with them separately? 2) does a firewall receive a policy containing only the rules referring to it or every policy defined and then it check only its rules ? 3) is better to have one big rule grouping a lot of host, network and services or more simple rules (with few objects for each one) ?

Thanks Riccardo

Reply to
Dogbert
Loading thread data ...

Reply to
Tony

Absolutely and Yes. Use the "Install On" column to target each policy for which firewall it should be installed on. All of the object definitions are shared between all policies, so you won't have to redefine them for each policy.

Depends on what you have set in the "Install on" field. You actually can create one massive policy and use the "Install on" field to put only certain rules on certain firewalls. That is a mess to figure out when looking at it, though.

Groups will evaluate faster than listing the individual objects. That being said, I doubt you would notice much difference on modern hardware. 85 rules is not a lot.

What kind of bandwidth are you talking about and what kind of hardware?

If you want to go through the hassle, you could set up SmartView Reporter and get an eval license. One of its canned reports shows you which rules are accessed how much.

Ray

Reply to
Jay

I'm already using "Install On" column a lot. Most of the rules are installed only on external or internal firewall. I'd like to know if a firewall receive only a package of rule regarding what has been specified on the "install on" column.

We are talking about Sun 220R with 1 gigabyte of ram, quad FastEthernet adapter ad a single sparc II processor. Bandwith for outside connections is a 34 Mbps. The performance problem affect mainly the internal firewall that need to manage

3 Fastethernet connections.

I've already created a tool with php/mysql to import and analyze the firewall logs. :-)

Reply to
Dogbert

85 rules spread over 4 firewalls is not a big rule base.

Yes, from a change management perspective such an approach is preferable.

greg

Reply to
Greg Hennessy

Yes.

Sorry, I'm not familiar with Sun hardware. I'm running similar bandwidth on a Nokia (BSD) with a 700 MHz P-III and 1 GB of RAM and I have no performance issues.

What performance issues are you seeing?

Ray

Reply to
Jay

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.