[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Rulebase optimization
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I saw some basic guidelines on phoneboy. This is kind of touchy feely, because it will depend on your hardware, platform, the rules themselves, etc. A good rule of thumb is to keep # of rules around 50 or less. Put high-hitting rules at the top (phoneboy says he likes to put inbound rules first, but if this firewall does mostly outbound traffic, it would make more sense to put those first.. it depends on what you are doing with the firewall). I personally try to imlplement a similar "look & feel" to my firewalls (esp. when it's multiple units). - Access b/t firewalls (when HA) - Admin access (for FW admins and OS admins) - Any monitoring of the firewalls (like Tivoli, or some other monitoring that needs either ICMP or SNMP to the firewall... I know... I am forced against my will to allow this access sometimes) - VPN & User Auth rules (because they need to interface with the FW directly in some way or another. - Stealth Rule - Inbound/Outbound rules depending on core function of FW... look at what this FW is doing.. if it's doing NAT for 100K clients, then maybe allowing either the clients or their http proxies early would be a good idea - Clean-up Rule Carric Dooley Senior Consultant COM2:Interactive Media "But this one goes to eleven." - -- Nigel Tufnel On Mon, 5 Feb 2001, Allan Pratt wrote: > > Does anyone know of documents about rulebase optimization? > > i.e., how to properly write a rule base, performance issues of too many > rules, etc�. > > thanks! > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Made with pgp4pine 1.75-6 iQA/AwUBOn8mc1UqWOkDpMZ2EQIAmACgnP7OY4GKd5U4XkVgQv4RaPowLq4AoL5o nmirmuX7LCir8BWLEf/wjaZM =TGHT -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|