You were clear.
Yes, it would be more efficient to only scan 10 rules,
instead of 20. No, CP doesn't have this feature yet, but
I'm almost positive that they would sell you another copy
for a second system so you would only have to process
10 rules instead of 20 ;) (poor humor, sorry. Not to mention
all the crap that comes with trying to get it working right.)
Robert
>>> "firewall" <[EMAIL PROTECTED]> 11/14/00 5:10:21 PM >>>
>Robert
>
>I know / agree that by FW-1 can inspect both inbound and outbound traffic..
>My concern is having different rulebases for inbound and outbound traffic..
>Say my FW1 rulebase has 20 rules - 10 for inbound traffic and 10 for
>outbound. Consider an incoming packet. It will be matched against all the 20
>rules (the extreme case). Instead of the one rulebase, if my firewall had 2
>rulebases (one for inbound traffic with 10 rules and one for the outbound
>with 10 rules), the inbound packet will be matched against only a maximum of
>10 rules.. The inbound packet won't be matched against the 10 rules for
>outbound traffic.. Won't this enhance performance?
>
>Sorry if I'm not clearly expressing my question..
>
>Sam
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Robert MacDonald
>Sent: Wednesday, November 15, 2000 3:25 AM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Subject: Re: Different Rulebases for incoming and outgoing traffic..
>
>
>Samuel,
>
>Well fw1 does have the ability to inspect inbound and
>outbound. You do this by setting the "Apply Gateway Rules
>to Interface Direction" to 'Eitherbound'.
>
>As for increased performance - nope. You basically double
>the performance _hit_.
>
>See http://www.phoneboy.com/fw1/faq/0102.html for more
>info. You can search www.securepoint.com for comments
>on the good and evils of doing the above.
>
>Robert
>
>- -
>Robert P. MacDonald, Network Engineer
>Team Lead, e-Business Infrastructure
>G o r d o n F o o d S e r v i c e
>Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>
>>>> "Samuel Kindrol" <[EMAIL PROTECTED]> 11/14/00 4:44:28 PM >>>
>>Pardon me if my question is stupid or irrational..
>>
>>In Checkpoint FW-1 there is only one rulebase against which both incoming
>and outgoing traffic is
>>matched. Instead of this if there were two different rulebases (sets of
>rules) for incoming and outgoing
>>wouldn't it give better performance?
>>
>>Why is this not there? Or is this the way the policy/rulebase works after
>compilation?
>>
>>I think this feature is there in IPChains !!!
>>
>>Thanks
>>Sam
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
