CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 13 of 13

Thread: Security policy rule order ?

  1. #1
    Join Date
    2014-10-10
    Posts
    247
    Rep Power
    3

    Default Security policy rule order ?

    Is Checkpoint policy first-match or is rather TRIE-based, where rules are converted to 'n-ary tries' (graphs) ? I think Paloalto is using Trie-Based Policy

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,369
    Rep Power
    8

    Default Re: Security policy rule order ?

    Quote Originally Posted by Irek_Romaniuk View Post
    Is Checkpoint policy first-match or is rather TRIE-based, where rules are converted to 'n-ary tries' (graphs) ? I think Paloalto is using Trie-Based Policy
    My guess would be that is true only for slow path and medium path (first match) and that acceleration is some kind of hash lookup.

  3. #3
    Join Date
    2014-10-10
    Posts
    247
    Rep Power
    3

    Default Re: Security policy rule order ?

    So does the number of rules matter, is there a difference in packet delay (processing) between rule set with 100 and 10k rules ?

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,369
    Rep Power
    8

    Default Re: Security policy rule order ?

    Quote Originally Posted by Irek_Romaniuk View Post
    So does the number of rules matter, is there a difference in packet delay (processing) between rule set with 100 and 10k rules ?
    Yes i think there is overhead that gets worse with size. If there wasn't overhead i think there wouldn't be the need for drop templates (do run a packet through the entire ruleset for a drop) and acceleration. I think one of the main benefits to SAM cards was latency reduction.

  5. #5
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,342
    Rep Power
    15

    Default Re: Security policy rule order ?

    Quote Originally Posted by Irek_Romaniuk View Post
    So does the number of rules matter, is there a difference in packet delay (processing) between rule set with 100 and 10k rules ?
    If you have 10k rules, you'll have more issues installing policy from management than with latency on the firewall :)
    Most of what has been said on this thread is true pre-R80.10 (i.e. rules are generally enforced in order in Slowpath, SecureXL templates help).

    In R80.10, the rulebase is a bit different, and more rules have less of an impact.
    Also more things are SecureXL friendly, which helps as well.
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  6. #6
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    965
    Rep Power
    12

    Default Re: Security policy rule order ?

    Quote Originally Posted by PhoneBoy View Post
    In R80.10, the rulebase is a bit different, and more rules have less of an impact.
    Also more things are SecureXL friendly, which helps as well.
    Well, yes and no. If the rulebase is not optimized, maching the first packet may take less effort for lower rules. However, with long yet well optimized policies, R80.10 rulebase search logic will backfire.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  7. #7
    Join Date
    2014-10-10
    Posts
    247
    Rep Power
    3

    Default Re: Security policy rule order ?

    So far my rule base is close to 100 per firewall;) But this is because requests are manually implemented and optimized in GUI (i.e. integrated into existing ones by adding a port or address, here and there...). With the rise of APIs, there is possibility to create rules automatically, based on approved requests. This process will increase rule count dramatically. I've heard about cases where after implementing the automation, the total number of rules is close to 10k;) But the implementation time is down to hours, and auditors love it because every rule can be tracked to ticket (not a case with manual optimization). It might be at the cost of potential packet delay, but i.e. PaloAlto is trie-based so delay can be probably ignored (for matches, don't know about drops) , maybe the same with R80.10 CP plus helpful drop templates.

  8. #8
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    965
    Rep Power
    12

    Default Re: Security policy rule order ?

    Quote Originally Posted by Irek_Romaniuk View Post
    So far my rule base is close to 100 per firewall;) But this is because requests are manually implemented and optimized in GUI (i.e. integrated into existing ones by adding a port or address, here and there...). With the rise of APIs, there is possibility to create rules automatically, based on approved requests. This process will increase rule count dramatically. I've heard about cases where after implementing the automation, the total number of rules is close to 10k;) But the implementation time is down to hours, and auditors love it because every rule can be tracked to ticket (not a case with manual optimization). It might be at the cost of potential packet delay, but i.e. PaloAlto is trie-based so delay can be probably ignored (for matches, don't know about drops) , maybe the same with R80.10 CP plus helpful drop templates.
    Even with automation, you can use system of sub-rules with R80.10, which allows FW to skip large portions of sub-rules if the main rule is not matched
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  9. #9
    Join Date
    2014-10-10
    Posts
    247
    Rep Power
    3

    Default Re: Security policy rule order ?

    But it would require some extra program logic to find out where to put the rule instead of straightforward 'next to the bottom'

  10. #10
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    965
    Rep Power
    12

    Default Re: Security policy rule order ?

    Quote Originally Posted by Irek_Romaniuk View Post
    But it would require some extra program logic to find out where to put the rule instead of straightforward 'next to the bottom'
    Not much. For example, you can define security zones now, set a section per zone, and then just add more targeted rule in the section. If you have see R80 concept of Unified Rulebase, it should be relatively clear. If not, you are welcome to join a session this weekend (details here http://checkpoint-master-architect.b...forcement.html) or follow it up when recording is ready. The only difference, you won't be able to ask any questions in the recorded version :-)

    VL
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  11. #11
    Join Date
    2014-10-10
    Posts
    247
    Rep Power
    3

    Default Re: Security policy rule order ?

    Thnx, added to the calendar. Btw , what's the max number of rules (and/or subrules?) in CP ?

  12. #12
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,342
    Rep Power
    15

    Default Re: Security policy rule order ?

    There's no hard limit.
    In the past, the main issue is working with SmartDashboard when the rulebase is thousands of rules (biggest I've seen is over 7,000).
    This should be improved in R80(.10).
    http://phoneboy.com
    Unless otherwise noted, views expressed are my own

  13. #13
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    965
    Rep Power
    12

    Default Re: Security policy rule order ?

    Quote Originally Posted by PhoneBoy View Post
    biggest I've seen is over 7,000
    over 10K here
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. upeer bound number of rule in a security policy
    By cciesec2006 in forum Miscellaneous
    Replies: 7
    Last Post: 2016-01-25, 12:12
  2. Rule is written on x policy and traffic is passing from y policy on R70.30
    By brijesh_techno in forum Check Point UTM-1 Appliances
    Replies: 0
    Last Post: 2011-08-02, 02:27
  3. Policy install fails for security policy with more than 4096 NAT rules
    By cciesec2006 in forum NAT (Network Address Translation)
    Replies: 8
    Last Post: 2009-06-07, 09:41
  4. Rule processing order
    By kj1978 in forum Miscellaneous
    Replies: 3
    Last Post: 2008-05-02, 22:28
  5. Rule Base Order
    By usmanshaikh in forum CCSA NGX Exam 156-215.1 (No Longer Offered)
    Replies: 3
    Last Post: 2007-04-03, 16:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •