CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Page 2 of 2 FirstFirst 12
Results 21 to 27 of 27

Thread: Policy push speed is unchanged

  1. #21
    Join Date
    2006-09-26
    Posts
    3,023
    Rep Power
    15

    Default Re: Policy push speed is unchanged

    Quote Originally Posted by PhoneBoy View Post
    If you're already getting a policy installation of around two minutes, then you're not going to see much in the way of improvement.
    For rulebase of 1200 rules, a two minute policy installation time from an R77.30 manager is highly unusual unless you've enabled fw_light_verify, which disables the policy verification step.
    And no, you shouldn't have that enabled, see http://checkpoint-master-architect.b...meter-you.html

    For most customers, a rulebase of 1200 users takes a lot longer than 2 minutes to push from R77.30, whereas on R80.10, it should take 2-3 minutes (assuming a small delta).
    so basically, what checkpoint defines "as improvements" is more like credit cards companies claimed of "low interests" with many "fine prints" that are not really usable in a real world environment

  2. #22
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,369
    Rep Power
    15

    Default Re: Policy push speed is unchanged

    Quote Originally Posted by cciesec2006 View Post
    so basically, what checkpoint defines "as improvements" is more like credit cards companies claimed of "low interests" with many "fine prints" that are not really usable in a real world environment
    For most installations I am familiar with of a similar size, a policy push on a 1200 rule rulebase could easily take at least ten minutes.
    In that context, reducing policy push to 2-3 minutes is a huge improvement.

    So tell me: do you have fw_light_verify enabled or not?
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #23
    Join Date
    2006-09-26
    Posts
    3,023
    Rep Power
    15

    Default Re: Policy push speed is unchanged

    Quote Originally Posted by PhoneBoy View Post
    For most installations I am familiar with of a similar size, a policy push on a 1200 rule rulebase could easily take at least ten minutes.
    In that context, reducing policy push to 2-3 minutes is a huge improvement.

    So tell me: do you have fw_light_verify enabled or not?
    I do not enable this feature.

    Your point is that I should see improvements if there is a small delta change, the policy push should improve a lot. doesn't look that way.

  4. #24
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,369
    Rep Power
    15

    Default Re: Policy push speed is unchanged

    Quote Originally Posted by cciesec2006 View Post
    I do not enable this feature.

    Your point is that I should see improvements if there is a small delta change, the policy push should improve a lot. doesn't look that way.
    And for many customers who participated in the EA of R80.10, they reported exactly that--improved policy installation times.
    However, their policy install probably took significantly more than 2 minutes to install prior to R80.10.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #25
    Join Date
    2012-06-13
    Posts
    292
    Rep Power
    6

    Default Re: Policy push speed is unchanged

    Well yeah I definitely see policy push speed improvement with R80.10. I just upgraded from R77.30 to R80.10 [in a lab environment] with rules base around 150 and saw drastic change in policy push speed. R77.30 usually takes around 2.30 mins while R80.10 I observed well under min.

    well my firewall is again R80.10

  6. #26
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    966
    Rep Power
    12

    Default Re: Policy push speed is unchanged

    Quote Originally Posted by PhoneBoy View Post
    And for many customers who participated in the EA of R80.10, they reported exactly that--improved policy installation times.
    However, their policy install probably took significantly more than 2 minutes to install prior to R80.10.
    You just need to note again GW should be also R80.10 to benefit. Otherwise it may same or even a bit more time to push policy to R77.30 and below, considering the new MGMT architecture.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  7. #27
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,369
    Rep Power
    15

    Default Re: Policy push speed is unchanged

    Quote Originally Posted by varera View Post
    You just need to note again GW should be also R80.10 to benefit. Otherwise it may same or even a bit more time to push policy to R77.30 and below, considering the new MGMT architecture.
    Improvements in the policy verification process will also apply to installing policies on R77.x (and earlier) gateways, thus you may see an improvement there, particularly if the policy is large (thousands of rules).
    There are additional improvements that only apply to R80.10+ gateways.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 5
    Last Post: 2017-04-28, 09:02
  2. Can't push policy.
    By Maybedave in forum Installing And Upgrading
    Replies: 3
    Last Post: 2010-04-08, 20:24
  3. Is possible to log who have push the policy?
    By Thomas Riker in forum SmartView Tracker
    Replies: 3
    Last Post: 2009-11-03, 11:55
  4. can't load policy editor and push policy
    By yclee1981 in forum Sun Solaris
    Replies: 2
    Last Post: 2008-01-07, 23:20
  5. Policy cannot push
    By geelkabouter in forum SmartDashboard
    Replies: 3
    Last Post: 2007-02-14, 02:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •