| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Optimization??
Not only using groups, but also try to (where you can at least) think
more policy than making rules on a per machine-to-machine kind of
rules:
1. Try thinking of "which groups of network object are allowed what
kind of access to other groups of networks?".
2. Group your rules logically:
* Start a firewall with dealing with traffic terminating
directly on your firewall (i.e. drop most stuff, accept your
management clients to the managements console, accept
management consoles to firewall node, allow VPN's as
neccersary to temrinate on the given fw node, explicitly
drop NBT-broadcasts for all nets directly to the firewall
without logging, to save 90% of crud in your logs, end the
section with explicit drop of anything terminating in your
firewall).
* Start building groups of rules dealing with your traffic,
usually ordered by priority (rules closer to the top gets
expedited faster).
* Build groups of rules for other connectivity that is no oft
used, but still needed.
* Deal with with unwanted traffic, usually drop the stuff you
know will come by that you dont want to know about without
logging, drop and log the rest.
Now, let the flames ensue on what people think about droping and not
logging, wether to deal with traffic terminating on the firewall node
vs. traffic passing, etc. There are a million preferences.
Oh, and make sure to disable most implicit stuff in the firewall
properties, as it is better to deal with as much of it explicitly in
the rulesets (oh, more flames) :)
cheers,
Alexander
"Cardona, Alberto" <[email protected]> writes:
> Shannon,
>
> I use rules using groups instead of seperate object with there own
> rules.
> It keeps my rulebase simple and not large. Also since I have over 15+
> firewalls
> it gives me a overall firewall rulebase standared for each Firewall.
> Plus it is easier to manage groups than Individual objects.
>
> As for performance when I orginaly started I used objects with individual
> rule's.
> My rulebase was HUGE.
> Once I switched to groups the rulebase got a lot smaller and performance
> increased.
>
>
> Hope this helps.
>
>
> Alberto Cardona II
>
>
>
>
> -----Original Message-----
> From: Shannon Johnston [mailto:[email protected]]
> Sent: Tuesday, August 28, 2001 12:40 PM
> To: Firewall One List
> Subject: [FW1] Optimization??
>
>
>
>
>
>
>
> I'm interested in increasing the performance of our FW-1 (Nokia IP440) and I
> was wondering about the performance of groups vs. separate rules.
> For example, I'm setting up a blacklist that will block everything coming
> from specific IP's. Would it be more beneficial to set them up in a
> blacklist
> group and add them all to 1 rule, or would it run better if they were
> separated into their own rules?
> We filter serveral million packets per month so any performance gain is
> welcome.
>
> --
> Shannon Johnston
> [email protected]
> --------------------------------
>
> Hiroshima '45 Chernobyl '86 Windows '95
>
> --------------------------------
>
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
--
Alexander Hoogerhuis
FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
