Firewall Wizards mailing list archives
RE: [FW1] How many rules can exists in fw1 ?
From: Jennifer Galvin <jgalvin () digex net>
Date: Sat, 19 Sep 1998 18:40:48 -0400 (EDT)
That's how it was explained to me in class. Plus, if you have a rule that requires encryption between two hosts, and then later on it allows no encryption between two hosts, FW1 will then pick the rule with less security, even though it comes after the 1st rule. Regards, Jennifer Galvin
Really? I'd always thought that packets were compared from the rulebase until a match was found.. Try rule 0 first.. Nope does not match.. Try rule 1 next.. nope does not match.. Try rule 2 next.. nope does not match .. .. .. Try rule 25.. AHA.. we have a source AND dest AND service match.. is it allowed or not?-----Original Message----- From: Jennifer Galvin [SMTP:jgalvin () digex net] Sent: Saturday, September 19, 1998 3:21 PM To: > Øyvind Olsen Cc: fw-1-mailinglist () lists us checkpoint com Subject: Re: [FW1] How many rules can exists in fw1 ? Whenever you edit an existing rulebase, and insert a new rule, more Inspect code is generated by the gui for the new policy. So, 500 rules = lots of code for the inspection engine to crank through before it decides what to do with the traffic. Remember, FW1 is a best-fit firewall, not a first-fit, so it will preview all rules before it determines which one best matches the traffic going in or out. This means the amount of Inspect code is probably directly proportional to the overhead the firewall is going to experience each time it needs to analyze traffic. In short, make it concise, since more rules may slow down your firewall. Regards, Jennifer GalvinHi ! Have anyone experimented with, say 500 rules, and measured how the perfomance is affected ? I might set up a test myself, but thought I ask the Gurus first ... Regards, Oyvind Olsen ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================---------------------- Jennifer Galvin Digex Firewall Support Engineer jgalvin () digex net (301) 847-7179 Digex is an Intermedia Communications Company ---------------------- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
---------------------- Jennifer Galvin Digex Firewall Support Engineer jgalvin () digex net (301) 847-7179 Digex is an Intermedia Communications Company ----------------------
Current thread:
- RE: [FW1] How many rules can exists in fw1 ? Jennifer Galvin (Sep 19)
- Re: [FW1] How many rules can exists in fw1 ? Deepak Vaidya (Sep 20)
- Re: [FW1] How many rules can exists in fw1 ? Euan (Sep 21)
- Re: [FW1] How many rules can exists in fw1 ? DIGEX Grrrrrrrrrl (Sep 22)
- Re: [FW1] How many rules can exists in fw1 ? Euan (Sep 21)
- <Possible follow-ups>
- Re: [FW1] How many rules can exists in fw1 ? Vern Paxson (Sep 20)
- Re: [FW1] How many rules can exists in fw1 ? DIGEX Grrrrrrrrrl (Sep 24)
- Re: [FW1] How many rules can exists in fw1 ? Deepak Vaidya (Sep 20)