Optimizing rule base on Checkpoint Firewalls

Optimizing rule base on Checkpoint Firewalls
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Optimizing rule base on Checkpoint Firewalls Dogbert 12-29-2006
Posted by Dogbert on December 29, 2006, 7:17 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi everyone,

I'm managing some firewalls for our corporate lan and I'm trying to optmize the
current rulebase in order to have better performance and simplify the management
task.

Actually we have 4 different firewalls (Checkpoint NG with AI), 2 for perimetral
security and the other 2 for intranet security and we are using a total of 85
rules (some of them are applied only to specific firewalls while others are
applied to all the systems). All this is managed from a central Management
console.

I'd like to know how checkpoint work through the rulebase.
I already know that they are checked sequentially until a rule is matched, but i
need more information to fine-tune this process.

1) is it possible/advisable to define different policy packages for different
firewalls and work with them separately?
2) does a firewall receive a policy containing only the rules referring to it or
every policy defined and then it check only its rules ?
3) is better to have one big rule grouping a lot of host, network and services
or more simple rules (with few objects for each one) ?

Thanks
Riccardo

--
--------------------------------------------------------
- Togli NO SPAM per rispondermi direttamente -
--------------------------------------------------------
- http://www.riccardofontana.it/ -
--------------------------------------------------------
- -
- Monsieur Perrier: "Lei cosa ne pensa ?" -
- MrWong: "Io perplesso." -
- Alce: "Io SONO perplesso... ci vorra' un -
- verbo qualche volta.... lei mi porta -
- alla PAZZIA !!!!!! -
- -
--------------------------------------------------------

Posted by Tony on December 29, 2006, 9:04 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Well i'll tell you dogbreath now thast you mentioned checkpoint as in checkpoint
software i am looking for various short sales starting around january 4th 2007.
January
will be at least a 10 percent down month for the markets and the next couple of
years
should see the dow give back at least half and the foreign markets give back at
least
three quarters.

Dogbert wrote:

> Hi everyone,
>
> I'm managing some firewalls for our corporate lan and I'm trying to optmize the
> current rulebase in order to have better performance and simplify the
management
> task.
>
> Actually we have 4 different firewalls (Checkpoint NG with AI), 2 for
perimetral
> security and the other 2 for intranet security and we are using a total of 85
> rules (some of them are applied only to specific firewalls while others are
> applied to all the systems). All this is managed from a central Management
console.
>
> I'd like to know how checkpoint work through the rulebase.
> I already know that they are checked sequentially until a rule is matched, but
i
> need more information to fine-tune this process.
>
> 1) is it possible/advisable to define different policy packages for different
> firewalls and work with them separately?
> 2) does a firewall receive a policy containing only the rules referring to it
or
> every policy defined and then it check only its rules ?
> 3) is better to have one big rule grouping a lot of host, network and services
> or more simple rules (with few objects for each one) ?
>
> Thanks
> Riccardo
>
> --
> --------------------------------------------------------
> - Togli NO SPAM per rispondermi direttamente -
> --------------------------------------------------------
> - http://www.riccardofontana.it/ -
> --------------------------------------------------------
> - -
> - Monsieur Perrier: "Lei cosa ne pensa ?" -
> - MrWong: "Io perplesso." -
> - Alce: "Io SONO perplesso... ci vorra' un -
> - verbo qualche volta.... lei mi porta -
> - alla PAZZIA !!!!!! -
> - -
> --------------------------------------------------------


Posted by Jay on December 29, 2006, 7:14 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> 1) is it possible/advisable to define different policy packages for
> different firewalls and work with them separately?

Absolutely and Yes. Use the "Install On" column to target each policy for
which firewall it should be installed on. All of the object definitions are
shared between all policies, so you won't have to redefine them for each
policy.

> 2) does a firewall receive a policy containing only the rules referring to
> it or every policy defined and then it check only its rules ?

Depends on what you have set in the "Install on" field. You actually can
create one massive policy and use the "Install on" field to put only certain
rules on certain firewalls. That is a mess to figure out when looking at it,
though.

> 3) is better to have one big rule grouping a lot of host, network and
> services or more simple rules (with few objects for each one) ?

Groups will evaluate faster than listing the individual objects. That being
said, I doubt you would notice much difference on modern hardware. 85 rules
is not a lot.

What kind of bandwidth are you talking about and what kind of hardware?

If you want to go through the hassle, you could set up SmartView Reporter
and get an eval license. One of its canned reports shows you which rules are
accessed how much.

Ray

>
> Thanks
> Riccardo
>
> --
> --------------------------------------------------------
> - Togli NO SPAM per rispondermi direttamente -
> --------------------------------------------------------
> - http://www.riccardofontana.it/ -
> --------------------------------------------------------
> - -
> - Monsieur Perrier: "Lei cosa ne pensa ?" -
> - MrWong: "Io perplesso." -
> - Alce: "Io SONO perplesso... ci vorra' un -
> - verbo qualche volta.... lei mi porta -
> - alla PAZZIA !!!!!! -
> - -
> --------------------------------------------------------



Posted by Dogbert on December 30, 2006, 6:01 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Jay wrote:
>> 1) is it possible/advisable to define different policy packages for
>> different firewalls and work with them separately?
>
> Absolutely and Yes. Use the "Install On" column to target each policy for
> which firewall it should be installed on. All of the object definitions are
> shared between all policies, so you won't have to redefine them for each
> policy.
>

I'm already using "Install On" column a lot. Most of the rules are installed
only on external or internal firewall. I'd like to know if a firewall receive
only a package of rule regarding what has been specified on the "install on"
column.

>> 2) does a firewall receive a policy containing only the rules referring to
>> it or every policy defined and then it check only its rules ?
>
> Depends on what you have set in the "Install on" field. You actually can
> create one massive policy and use the "Install on" field to put only certain
> rules on certain firewalls. That is a mess to figure out when looking at it,
> though.
>
>> 3) is better to have one big rule grouping a lot of host, network and
>> services or more simple rules (with few objects for each one) ?
>
> Groups will evaluate faster than listing the individual objects. That being
> said, I doubt you would notice much difference on modern hardware. 85 rules
> is not a lot.
>
> What kind of bandwidth are you talking about and what kind of hardware?
>

We are talking about Sun 220R with 1 gigabyte of ram, quad FastEthernet adapter
ad a single sparc II processor. Bandwith for outside connections is a 34 Mbps.
The performance problem affect mainly the internal firewall that need to manage
3 Fastethernet connections.

> If you want to go through the hassle, you could set up SmartView Reporter
> and get an eval license. One of its canned reports shows you which rules are
> accessed how much.
>

I've already created a tool with php/mysql to import and analyze the firewall
logs. :-)



--
--------------------------------------------------------
- Togli NO SPAM per rispondermi direttamente -
--------------------------------------------------------
- http://www.riccardofontana.it/ -
--------------------------------------------------------
- -
- Monsieur Perrier: "Lei cosa ne pensa ?" -
- MrWong: "Io perplesso." -
- Alce: "Io SONO perplesso... ci vorra' un -
- verbo qualche volta.... lei mi porta -
- alla PAZZIA !!!!!! -
- -
--------------------------------------------------------

Posted by Jay on December 30, 2006, 6:41 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> I'm already using "Install On" column a lot. Most of the rules are
> installed only on external or internal firewall. I'd like to know if a
> firewall receive only a package of rule regarding what has been specified
> on the "install on" column.

Yes.

> We are talking about Sun 220R with 1 gigabyte of ram, quad FastEthernet
> adapter ad a single sparc II processor. Bandwith for outside connections
> is a 34 Mbps. The performance problem affect mainly the internal firewall
> that need to manage 3 Fastethernet connections.

Sorry, I'm not familiar with Sun hardware. I'm running similar bandwidth on
a Nokia (BSD) with a 700 MHz P-III and 1 GB of RAM and I have no performance
issues.

What performance issues are you seeing?

Ray



Similar ThreadsPosted
Checkpoint accept rip implied rule. July 20, 2004, 12:24 am
Any Version of Checkpoint Showing Which NAT Rule Applied? December 14, 2007, 3:44 am
Microsoft Update Hoses ZoneAlarm and CheckPoint Firewalls July 11, 2008, 11:08 am
Checkpoint - Deny traceroute through checkpoint firewall August 10, 2004, 3:27 pm
How to do a Stonesoft rule ? August 10, 2004, 9:41 am
Translation Rule October 15, 2005, 2:31 pm
<< protocol=6 rule=-1 >>? September 3, 2006, 7:28 am
How safe for firewall rule using 127.0.0.0/8 October 25, 2005, 12:00 am
firewall rule to stop ping November 17, 2004, 12:32 pm
Negate Rule Not Working Firewall-1 September 14, 2006, 3:28 am

The site map in XML format XML site map

Contact Us | Privacy Policy