[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Some basic questions
Inline... - - Robert P. MacDonald, Network Engineer Team Lead, e-Business Infrastructure G o r d o n F o o d S e r v i c e Voice:email: [email protected] >>> "Nijs, Daniel" <[email protected]> 11/17/00 3:57:30 PM >>> > >Hi all, > >I have gone through most FAQ's, phoneboy's site, some other mailing lists, >and would like your input on these questions: > >1) What is the average number of rules, and how much does FW-1 really >support. I have seen posts where checkpoint techs say that 25 rules is way >too much, posts that say that average installation is about 10 rules / fw >installation. I have quite a few rules in my policy, and would like to know >how far I can go. (I am running version 4.0 on Solaris) I think it's dependent upon your design, the systems you use and how they are architected. The more rules you have, the more processing the fw system needs to do. Keep your most active rules near the top. If your going to be using encryption, then make sure you plan accordingly for memory and processing power. I've seen list members talk about having just a few rules and some saying they have hundreds. I really do think it's very dependent upon what's going on in your site. You could have hundreds of rules and hardly any traffic vs a small rulebase and a large amount of traffic, and both sites may appear to be running well (WRT response time.) >2) I want to upgrade from version 4.0 to 4.1. Which are some important >steps I should take (except for the obvious such as backing up) before >upgrading, and what other suggestions do you have to do this as smooth as >possible? Research. Look through the archives at read the problems and resolutions to others mistakes and issues. Understand how fw1 works to the best of your ability and ask questions here when you run into issues. >3) I am planning on moving away from static ip's and use the session agent >+ user accounts (using radius so we can use our NT domain accounts). Is >there anyway I can add a user@host instead of group@host, or do I have to >create a group every time I wish to create a new rule for a user (special >cases need their own rule). What is your experience with the session agent? Not at this point. The authorizations require the groups@.... I've used the client, session & user auth and they work well. Each has their pro's and con's. >That's it for now, thanks in advance for your time. This is probably not what you were looking for. Others may answer this with more details about their configs and experiences. I any case, plan well, give yourself time and have patience. >Best regards, > >Daniel Best of Luck! Robert ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|