CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 6 of 6

Thread: Which rule design is better

  1. #1
    Join Date
    2011-05-26
    Posts
    5
    Rep Power
    0

    Default Which rule design is better

    Hi,

    I would like to know which of the following scenario would be better for Checkpoint firewall to process its rule.

    Scenario 1 - this has 4 combination of flows but only two are used. This has only 1 rule defined

    Rule From To Port
    1 10.1.1.1 20.2.2.2 TCP-555
    20.2.2.2 10.1.1.1

    Scenario 2 - this allow two specific flows but has two rules defined
    Rule From To Port
    1 10.1.1.1 20.2.2.2 TCP-555
    2 20.2.2.2 10.1.1.1 TCP-555

    Which one would be better for Checkpoint to process? This is just a small scale example. Our firewalls have couple of hundred rules and also with large number of objects/groups so I would like to adopt a practice that have least impact to the FW performance.


    Thanks
    James

  2. #2
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    18

    Default Re: Which rule design is better

    It would be best if you created two rules.

    Rule 1: A to B
    Rule 2: B to A

    Otherwise you're also parsing traffic looking for A to A and B to B.

    Rule 1: A,B to A,B

    The two rule method is easier to read and is less likely to have unintended consequences. Especially where A and/or B is a network/subnet in which the firewall shares an IP.

  3. #3
    Join Date
    2011-05-26
    Posts
    5
    Rep Power
    0

    Default Re: Which rule design is better

    Hi,

    Thanks for your quick response. I agree with you about the two rules option is easier to see. For performance impact, do you know which one is better?


    Thanks
    James

  4. #4
    Join Date
    2007-07-16
    Location
    a land down under!
    Posts
    2,015
    Rep Power
    18

    Default Re: Which rule design is better

    The performance impact is negligible. An additional reason for doing this is VPN rules - I've seen strange things happen when people make bi-directional VPN rules.

    It's also generally good practice to keep your inbound and outbound rules distinct.

  5. #5
    Join Date
    2009-04-14
    Location
    Ohio
    Posts
    405
    Rep Power
    14

    Default Re: Which rule design is better

    I personally like the bi-directional rules and think it makes for an easier to read ruleset. There is one rule for anti-virus updates, one rule for server patching, etc. Obviously you have to be more aware when creating rules so that you don't accidentally open access you didn't intend and not all rules can be bi-directional.

  6. #6
    Join Date
    2011-07-16
    Posts
    5
    Rep Power
    0

    Default Re: Which rule design is better

    You have to consider readability and maintenance of the ruleset.
    If the two rules are associated with the same business process, then I think it is OK to unite them (and of course document what the rule does), but once you start consolidating rules with different purposes for the sake of improving performance you are setting yourself up to create a real management mess.

    As for performance implications, there is more to consider than the sheer number of rules. You may have a couple of hundred rules but which follow the 80/20 rule (that is 20% of rules, are responsible for 80% or more of the traffic). If you reorder the rules accordingly - placing the rules that are hit the most often at the top of the policy, you will improve performance.

    For full disclosure - I work for AlgoSec which makes Firewall Management software that can automate some of this stuff.

    Hope this helps.
    Nimmy

Similar Threads

  1. CLM design - explanation ?
    By pebbles5 in forum Provider-1 (Multi-Domain Management)
    Replies: 4
    Last Post: 2010-11-04, 06:29
  2. A Basic Design Question
    By rmmagow in forum Installing And Upgrading
    Replies: 5
    Last Post: 2010-03-26, 11:38
  3. new fellow with a design question
    By newbie-dd in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2010-01-26, 08:44
  4. UTM-1 Design
    By YingAtt in forum Check Point UTM-1 Appliances
    Replies: 2
    Last Post: 2009-02-23, 15:52
  5. DMZ Design
    By jim_8912 in forum Crossbeam
    Replies: 4
    Last Post: 2008-11-04, 23:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •