[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Optimization??
Not only using groups, but also try to (where you can at least) think more policy than making rules on a per machine-to-machine kind of rules: 1. Try thinking of "which groups of network object are allowed what kind of access to other groups of networks?". 2. Group your rules logically: * Start a firewall with dealing with traffic terminating directly on your firewall (i.e. drop most stuff, accept your management clients to the managements console, accept management consoles to firewall node, allow VPN's as neccersary to temrinate on the given fw node, explicitly drop NBT-broadcasts for all nets directly to the firewall without logging, to save 90% of crud in your logs, end the section with explicit drop of anything terminating in your firewall). * Start building groups of rules dealing with your traffic, usually ordered by priority (rules closer to the top gets expedited faster). * Build groups of rules for other connectivity that is no oft used, but still needed. * Deal with with unwanted traffic, usually drop the stuff you know will come by that you dont want to know about without logging, drop and log the rest. Now, let the flames ensue on what people think about droping and not logging, wether to deal with traffic terminating on the firewall node vs. traffic passing, etc. There are a million preferences. Oh, and make sure to disable most implicit stuff in the firewall properties, as it is better to deal with as much of it explicitly in the rulesets (oh, more flames) :) cheers, Alexander "Cardona, Alberto" <[email protected]> writes: > Shannon, > > I use rules using groups instead of seperate object with there own > rules. > It keeps my rulebase simple and not large. Also since I have over 15+ > firewalls > it gives me a overall firewall rulebase standared for each Firewall. > Plus it is easier to manage groups than Individual objects. > > As for performance when I orginaly started I used objects with individual > rule's. > My rulebase was HUGE. > Once I switched to groups the rulebase got a lot smaller and performance > increased. > > > Hope this helps. > > > Alberto Cardona II > > > > > -----Original Message----- > From: Shannon Johnston [mailto:[email protected]] > Sent: Tuesday, August 28, 2001 12:40 PM > To: Firewall One List > Subject: [FW1] Optimization?? > > > > > > > > I'm interested in increasing the performance of our FW-1 (Nokia IP440) and I > was wondering about the performance of groups vs. separate rules. > For example, I'm setting up a blacklist that will block everything coming > from specific IP's. Would it be more beneficial to set them up in a > blacklist > group and add them all to 1 rule, or would it run better if they were > separated into their own rules? > We filter serveral million packets per month so any performance gain is > welcome. > > -- > Shannon Johnston > [email protected] > -------------------------------- > > Hiroshima '45 Chernobyl '86 Windows '95 > > -------------------------------- > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ -- Alexander Hoogerhuis FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|