I have worked with clients that have over 100 rules and do not seem to have
a performance problem due to the rules base. However, as has been hinted in
the few responses, there are many factors that could degrade/enhance
performance. These include, but may not be limited to, OS, hardware
platform, amount of RAM, having the management console local or on another
box, number of interfaces, bandwidth and traffic levels through each
interface and if the firewall is doing inbound or eitherbound inspection.
Having a lengthy set of rules will also be a factor, but it may not be the
one that crushes the firewall or even stands out above any other. Nearly
every one of us has a "special" way we like to get the same function done...
I prefer to get as much done as possible with as few rules as possible (I
don't always achieve my goal) to help guard against this performance hit. I
also look at the other factors as a possible cause if the firewall does not
perform as well as I would like.
...just my .02 worth
Rob Cryan
Solutions Integration Manager
infinitespace.com
Two Westborough Business Park
Westborough, MA 01581
Office: 508.870.4714
-----Original Message-----
From: Jesus Calvo Hernandez [SMTP:[EMAIL PROTECTED]]
Sent: Friday, July 28, 2000 7:28 AM
To: Lance Spitzner; Marty Saletta
Cc: FW-1
Subject: Re: [FW1] Test rule performance?
I�ve got 100 rules and it works quite fine; we have a separate
management
console from the firewall module although. It�s got even two vpn
running.
Both machines are pentium II ranging from 300 to 500 MHz, and 128
and 256
Mbytes ram each
----- Original Message -----
From: "Lance Spitzner" <[EMAIL PROTECTED]>
To: "Marty Saletta" <[EMAIL PROTECTED]>
Cc: "FW-1" <[EMAIL PROTECTED]>
Sent: Thursday, July 27, 2000 9:13 PM
Subject: Re: [FW1] Test rule performance?
>
> On Thu, 27 Jul 2000, Marty Saletta wrote:
>
> > Does anyone know a general "rule of thumb" about how
> > many rules FW-1 can handle before a performance hit?
> > I'm guessing it depends on a number of factors, such as
> > the hardware hosting the FW, speed of the network,
> > number of hosts, etc.
>
> One thing to consider, you will run into management problems
> of your rulebase long before you will hit performance issues.
> It may be difficult for your environment, but I recommend
> you keep your rulebase under 30 rules. Performance is not
> the issue, but managing your rules. Once you hit more then
> 30 rules, mistakes can happen. Once you hit a hundred rules
> no one really knows what is going on :)
>
> Something to consider ...
>
> lance
>
>
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the
instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
------------------------------------------------------------------
This email is confidential and intended solely for the use of the
individual to whom it is addressed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of Sema
Group.
If you are not the intended recipient, be advised that you have
received this email in error and that any use, dissemination, forwarding,
printing, or copying of this email is strictly prohibited. If you have
received this email in error please notify it to Sema Group sae Helpdesk by
telephone on number
+34 91 4408888.
------------------------------------------------------------------
============================================================================
====
To unsubscribe from this mailing list, please see the
instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
