|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [FW1] How many rules can exists in fw1 ?
Jennifer Galvin (jgalvin
digex.net)
Sat, 19 Sep 1998 18:40:48 -0400 (EDT)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: C Matthew Curtin: "Re: NetMeeting security solution?"
- Previous message: Rick Loftus: "RE: utility for NAT"
- In reply to: sandeep kumar: "utility for NAT"
- Next in thread: Vern Paxson: "Re: [FW1] How many rules can exists in fw1 ?"
- Reply: Vern Paxson: "Re: [FW1] How many rules can exists in fw1 ?"
- Reply: Deepak Vaidya: "Re: [FW1] How many rules can exists in fw1 ?"
That's how it was explained to me in class. Plus, if you have a rule that
requires encryption between two hosts, and then later on it allows no
encryption between two hosts, FW1 will then pick the rule with less
security, even though it comes after the 1st rule.
Regards,
Jennifer Galvin
> Really?
>
> I'd always thought that packets were compared from the rulebase until a match was found..
>
> Try rule 0 first.. Nope does not match..
> Try rule 1 next.. nope does not match..
> Try rule 2 next.. nope does not match
> ..
> ..
> ..
> Try rule 25.. AHA.. we have a source AND dest AND service match.. is it allowed or not?
>
>
>
> > -----Original Message-----
> > From: Jennifer Galvin [SMTP:jgalvindigex.net]
> > Sent: Saturday, September 19, 1998 3:21 PM
> > To: > Øyvind Olsen
> > Cc: fw-1-mailinglistlists.us.checkpoint.com
> > Subject: Re: [FW1] How many rules can exists in fw1 ?
> >
> >
> >
> > Whenever you edit an existing rulebase, and insert a new rule, more
> > Inspect code is generated by the gui for the new policy. So, 500 rules =
> > lots of code for the inspection engine to crank through before it decides
> > what to do with the traffic. Remember, FW1 is a best-fit firewall, not a
> > first-fit, so it will preview all rules before it determines which one
> > best matches the traffic going in or out. This means the amount of
> > Inspect code is probably directly proportional to the overhead the
> > firewall is going to experience each time it needs to analyze traffic.
> >
> > In short, make it concise, since more rules may slow down your firewall.
> >
> > Regards,
> > Jennifer Galvin
> >
> > >
> > > Hi !
> > >
> > > Have anyone experimented with, say 500 rules, and measured how the
> > > perfomance is affected ?
> > >
> > > I might set up a test myself, but thought I ask the Gurus first ...
> > >
> > > Regards,
> > > Oyvind Olsen
> > >
> > >
> > > ================================================================================
> > > To unsubscribe from this mailing list, please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > ================================================================================
> > >
> >
> >
> > ----------------------
> > Jennifer Galvin
> > Digex Firewall Support Engineer
> > jgalvindigex.net
> > (301) 847-7179
> > Digex is an Intermedia Communications Company
> > ----------------------
> >
> >
> >
> >
> >
> > ================================================================================
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ================================================================================
>
----------------------
Jennifer Galvin
Digex Firewall Support Engineer
jgalvindigex.net
(301) 847-7179
Digex is an Intermedia Communications Company
----------------------
- Next message: C Matthew Curtin: "Re: NetMeeting security solution?"
- Previous message: Rick Loftus: "RE: utility for NAT"
- In reply to: sandeep kumar: "utility for NAT"
- Next in thread: Vern Paxson: "Re: [FW1] How many rules can exists in fw1 ?"
- Reply: Vern Paxson: "Re: [FW1] How many rules can exists in fw1 ?"
- Reply: Deepak Vaidya: "Re: [FW1] How many rules can exists in fw1 ?"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT