Security policy rule order ?

[Irek_Romaniuk]

Is Checkpoint policy first-match or is rather TRIE-based, where rules are converted to 'n-ary tries' (graphs) ? I think Paloalto is using Trie-Based Policy

[jflemingeds]

Is Checkpoint policy first-match or is rather TRIE-based, where rules are converted to 'n-ary tries' (graphs) ? I think Paloalto is using Trie-Based Policy

My guess would be that is true only for slow path and medium path (first match) and that acceleration is some kind of hash lookup.

[Irek_Romaniuk]

So does the number of rules matter, is there a difference in packet delay (processing) between rule set with 100 and 10k rules ?

[jflemingeds]

So does the number of rules matter, is there a difference in packet delay (processing) between rule set with 100 and 10k rules ?

Yes i think there is overhead that gets worse with size. If there wasn't overhead i think there wouldn't be the need for drop templates (do run a packet through the entire ruleset for a drop) and acceleration. I think one of the main benefits to SAM cards was latency reduction.

[PhoneBoy]

So does the number of rules matter, is there a difference in packet delay (processing) between rule set with 100 and 10k rules ?

If you have 10k rules, you'll have more issues installing policy from management than with latency on the firewall :)
Most of what has been said on this thread is true pre-R80.10 (i.e. rules are generally enforced in order in Slowpath, SecureXL templates help).

In R80.10, the rulebase is a bit different, and more rules have less of an impact.
Also more things are SecureXL friendly, which helps as well.

[varera]

In R80.10, the rulebase is a bit different, and more rules have less of an impact.
Also more things are SecureXL friendly, which helps as well.

Well, yes and no. If the rulebase is not optimized, maching the first packet may take less effort for lower rules. However, with long yet well optimized policies, R80.10 rulebase search logic will backfire.

[Irek_Romaniuk]

So far my rule base is close to 100 per firewall;) But this is because requests are manually implemented and optimized in GUI (i.e. integrated into existing ones by adding a port or address, here and there...). With the rise of APIs, there is possibility to create rules automatically, based on approved requests. This process will increase rule count dramatically. I've heard about cases where after implementing the automation, the total number of rules is close to 10k;) But the implementation time is down to hours, and auditors love it because every rule can be tracked to ticket (not a case with manual optimization). It might be at the cost of potential packet delay, but i.e. PaloAlto is trie-based so delay can be probably ignored (for matches, don't know about drops) , maybe the same with R80.10 CP plus helpful drop templates.

[varera]

So far my rule base is close to 100 per firewall;) But this is because requests are manually implemented and optimized in GUI (i.e. integrated into existing ones by adding a port or address, here and there...). With the rise of APIs, there is possibility to create rules automatically, based on approved requests. This process will increase rule count dramatically. I've heard about cases where after implementing the automation, the total number of rules is close to 10k;) But the implementation time is down to hours, and auditors love it because every rule can be tracked to ticket (not a case with manual optimization). It might be at the cost of potential packet delay, but i.e. PaloAlto is trie-based so delay can be probably ignored (for matches, don't know about drops) , maybe the same with R80.10 CP plus helpful drop templates.

Even with automation, you can use system of sub-rules with R80.10, which allows FW to skip large portions of sub-rules if the main rule is not matched

[Irek_Romaniuk]

But it would require some extra program logic to find out where to put the rule instead of straightforward 'next to the bottom'

[varera]

But it would require some extra program logic to find out where to put the rule instead of straightforward 'next to the bottom'

Not much. For example, you can define security zones now, set a section per zone, and then just add more targeted rule in the section. If you have see R80 concept of Unified Rulebase, it should be relatively clear. If not, you are welcome to join a session this weekend (details here http://checkpoint-master-architect.b...forcement.html) or follow it up when recording is ready. The only difference, you won't be able to ask any questions in the recorded version :-)

VL

[Irek_Romaniuk]

Thnx, added to the calendar. Btw , what's the max number of rules (and/or subrules?) in CP ?

[PhoneBoy]

There's no hard limit.
In the past, the main issue is working with SmartDashboard when the rulebase is thousands of rules (biggest I've seen is over 7,000).
This should be improved in R80(.10).

[varera]

biggest I've seen is over 7,000

over 10K here