Precedence of rule terms

[Neil Ratzlaff <Neil.Ratzlaff () ucop edu>]

Given this scenario (and think about expanding the list of hosts and
services and more complex combinations of hosts and services):
Hosts  A, B, C
Services X, Y, Z
Two equivalent sets of permissions but defined in different ways
Equal amounts of use for each service and host

Group 1
1.  Host A allows services X Y
2.  Host B allows services Y Z
3.  Host C allows services X Z

Group 2
1.  Hosts A C allow service X
2.  Hosts A B allow service Y
3.  Hosts B C allow service Z

Which would be a faster rule match, Group 1 or Group 2?  If FW checks first
for DEST IP, then Group 1 should be faster.  If FW checks first for
Service, then Group 2 should be faster.  If it checks all conditions for
each rule, both would be the same, but that is very inefficient.  In
database queries, the order of terms is critical for optimization.

As my rule set has grown, it has become fragmented (far from normalized in
database lingo).  I want to consolidate the rules, but I also want to
reduce the load as much as possible, beyond the usual rule of most frequent
rule matches first in the list.  Anyone have any insight?  Someone from
Checkpoint must know how the actual rule checking is done.

Any helpful comments appreciated.
Neil