Charles,
How about less rules, less objects ;-) Seriously though, if you're
trying to optimize throughput, the more network objects that you can
substitute for host objects, the better. The reason for this is that if
you have a rule that allows hostA, hostB, and hostC, access to FTP
serverD, the inspect code for that will be constructed in such a way
that when hostC tries to access serverD, the kernel must first look at
hosts A and B, before determining that C is okay. (Did that make
sense...?) If, on the other hand, all of those hosts are on the same
subnet, and you make a rule allowing subnetA FTP access to serverD, then
the kernel process only has to match one object before continuing.
Here's some other throughput hints:
-The fewer NAT rules the better (NAT rules take about 3 times the
processing power of access rules, in general)
-The fewer *specific* access rules the better (use as many network
objects as you can - don't sacrifice security, but don't have specific
rules for *everything* either - there is a balance in there somewhere)
As far as throughput is considered, here's the best order of objects to
use : "ANY", Network, Host (obviously NEVER sacrifice security for
throughput though...)
-Put the most used rules first. Since rule matching is from the top
down, you want rules for Internet access, DNS requests, outbound POP3,
(and any other extremely high traffic rules) to be very close to the top
of the policy.
Hope this helps (at least a little...)
Jason
http://www.wittys.com
"Charles M. Gagnon" wrote:
>
> Hi,
>
> Does anyone know enought about the internals of FW-1 to take
> a guess as too what kind of setup would perform better:
>
> - Less Rules, more objects/rule
> - A lot of Rules, very little objects total
>
> I'm not sure if it would make difference or not but I would
> like to know.
>
> Does Checkpoint publish performance numbers that are based on
> number of network objects, number of users or the number of
> rules in policies?
>
> --
> Charles Gagnon | My views are my views and they
> http://unixrealm.com | do not represent those of anybody
> [EMAIL PROTECTED] | but me.
>
> If someone with multiple personalities threatens
> suicide....is it considered a hostage situation?
> -- Dennis Miller
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
