CP has rather been fluid on this issue. CP rarely imposes any limit on anything - rules, objects, number of customers on a P-1 system, blah, blah! Everything depends upon your hw and if things do not work the way you desire, let us say, for example, your policy load/save/compilation/verify takes a long time, you open a ticket with CP and they would come out with such explanations as your object file has grown to 6MB or more or your rulebases_5_0.fws file has grown very big and sometimes, if you are lucky and persistent, they will forward the issue to R&D which then perhaps would discover some function within, let us say, policy verification/compilation (remember groups within groups issue!) causing huge delay and would provide a hotfix and that hotfix could then help the general CP user community too until another user raises the same question as raised in this thread, leading possibly to another iteration with CP bringing some newer relief! That said it is also true that there are very large number of variables that make one implementation with 3000+ rules working fine whereas another with just over 200+ rules causing strange issues. I have never seen any specific tests with certain number of rules causing the packets to drop at the inspection module but mostly if there are any tests available, they are very generic and are what kind of throughputs are resulting from some specific number of rules being one of the criteria at Nokia or Check Point sites - I would be equally interested to see some if anyone else can point out. In fact dropping of packets would definitely have large number of variables to be ruled out even if you have large number of rules given your inspection module have gracefully imbibed that large number in its kernel.
The original question with just three CMA's on the indicated platform with R55W with latest HFA (I think CP further improved File Descriptors' allocation in some latest HF post R55) should give enough room to handle 550 rules but who knows what your objects look like:-)! So, the best answer is test it and let us know too how it goes:-)!! Rajeev On 10/21/05, Luca Maranzano <[EMAIL PROTECTED]> wrote: > > Supposed that there is not un upper limit in the number of rules, the > *real* question is: > - > Which is the upper reasonable limit in the number of rules before > performances are compromised, i.e. packets are dropped by the firewall > and so on? > > Are there some tests out there which correlates this number with the > hardware platform? > > TIA > --Luca > > > On 21/10/05, Tom Rowan <[EMAIL PROTECTED]> wrote: > > I once saw 2000+ rules on a 3.0b system many moons ago.... > > Madness. > > > > >On 10/19/05, cisco4ng <[EMAIL PROTECTED]> wrote: > > > > > > > > >>All, > > >> > > >>What is the maximum number of rules can I have in a security? For > example, > > >> > > >>I have a Provider-1 NG with AI R55w (Manager+Container) running on a > DELL > > >>dual Processor > > >>(1.3GHz) with 4GBof RAM. In this Provider-1, I have 3 CMAs. At the > moment, > > >>one of the > > >>CMAs has about 250 security rules in there, This CMA is managing a > SPLAT > > >>NG with AI > > >>R55w with HFA_04 Enforcement module. > > >> > > >>I would like to put another 300 rules into this policy. My question is > > >>what is the maximum > > >># of rules can I have in a security policy, either from a CMA or > > >>SmartCenter? > > >> > > >>I did run into a problem with Provider-1 version 4.1. When the > security > > >>reaches 260 rules, the > > >>I couldn't connect into the policy editor. > > >> > > >> > > > > > > > > >Got people using NG+AI doing tests with 3,000+ rules without a > problem... > > > > > >So I think 550 should be fine... (but perform a backup before anyway > ;-) > > > > > >- Martín. > > > > > >-- > > >- Mi página web: http://gama.fime.uanl.mx/~mhoz/ > > >* "Somos consecuencia del pasado, y causa de nuestro futuro." > > >* "Este mundo no nos ha sido legado por nuestros padres, sino lo hemos > > >recibido prestado por nuestros hijos..." > > > > > >================================================= > > >To set vacation, Out-Of-Office, or away messages, > > >send an email to [EMAIL PROTECTED] > > >in the BODY of the email add: > > >set fw-1-mailinglist nomail > > >================================================= > > >To unsubscribe from this mailing list, > > >please see the instructions at > > >http://www.checkpoint.com/services/mailing.html > > >================================================= > > >If you have any questions on how to change your > > >subscription options, email > > >[EMAIL PROTECTED] > > >================================================= > > > > > > > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= >
