Optimizing rule base on Checkpoint Firewalls - Firewalls

This is a discussion on Optimizing rule base on Checkpoint Firewalls - Firewalls ; Hi everyone, I'm managing some firewalls for our corporate lan and I'm trying to optmize the current rulebase in order to have better performance and simplify the management task. Actually we have 4 different firewalls (Checkpoint NG with AI), 2 ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Optimizing rule base on Checkpoint Firewalls

  1. Optimizing rule base on Checkpoint Firewalls

    Hi everyone,

    I'm managing some firewalls for our corporate lan and I'm trying to optmize the
    current rulebase in order to have better performance and simplify the management
    task.

    Actually we have 4 different firewalls (Checkpoint NG with AI), 2 for perimetral
    security and the other 2 for intranet security and we are using a total of 85
    rules (some of them are applied only to specific firewalls while others are
    applied to all the systems). All this is managed from a central Management console.

    I'd like to know how checkpoint work through the rulebase.
    I already know that they are checked sequentially until a rule is matched, but i
    need more information to fine-tune this process.

    1) is it possible/advisable to define different policy packages for different
    firewalls and work with them separately?
    2) does a firewall receive a policy containing only the rules referring to it or
    every policy defined and then it check only its rules ?
    3) is better to have one big rule grouping a lot of host, network and services
    or more simple rules (with few objects for each one) ?

    Thanks
    Riccardo

    --
    --------------------------------------------------------
    - Togli NO SPAM per rispondermi direttamente -
    --------------------------------------------------------
    - http://www.riccardofontana.it/ -
    --------------------------------------------------------
    - -
    - Monsieur Perrier: "Lei cosa ne pensa ?" -
    - MrWong: "Io perplesso." -
    - Alce: "Io SONO perplesso... ci vorra' un -
    - verbo qualche volta.... lei mi porta -
    - alla PAZZIA !!!!!! -
    - -
    --------------------------------------------------------

  2. Re: Optimizing rule base on Checkpoint Firewalls

    Well i'll tell you dogbreath now thast you mentioned checkpoint as in checkpoint
    software i am looking for various short sales starting around january 4th 2007. January
    will be at least a 10 percent down month for the markets and the next couple of years
    should see the dow give back at least half and the foreign markets give back at least
    three quarters.

    Dogbert wrote:

    > Hi everyone,
    >
    > I'm managing some firewalls for our corporate lan and I'm trying to optmize the
    > current rulebase in order to have better performance and simplify the management
    > task.
    >
    > Actually we have 4 different firewalls (Checkpoint NG with AI), 2 for perimetral
    > security and the other 2 for intranet security and we are using a total of 85
    > rules (some of them are applied only to specific firewalls while others are
    > applied to all the systems). All this is managed from a central Management console.
    >
    > I'd like to know how checkpoint work through the rulebase.
    > I already know that they are checked sequentially until a rule is matched, but i
    > need more information to fine-tune this process.
    >
    > 1) is it possible/advisable to define different policy packages for different
    > firewalls and work with them separately?
    > 2) does a firewall receive a policy containing only the rules referring to it or
    > every policy defined and then it check only its rules ?
    > 3) is better to have one big rule grouping a lot of host, network and services
    > or more simple rules (with few objects for each one) ?
    >
    > Thanks
    > Riccardo
    >
    > --
    > --------------------------------------------------------
    > - Togli NO SPAM per rispondermi direttamente -
    > --------------------------------------------------------
    > - http://www.riccardofontana.it/ -
    > --------------------------------------------------------
    > - -
    > - Monsieur Perrier: "Lei cosa ne pensa ?" -
    > - MrWong: "Io perplesso." -
    > - Alce: "Io SONO perplesso... ci vorra' un -
    > - verbo qualche volta.... lei mi porta -
    > - alla PAZZIA !!!!!! -
    > - -
    > --------------------------------------------------------



  3. Re: Optimizing rule base on Checkpoint Firewalls

    > 1) is it possible/advisable to define different policy packages for
    > different firewalls and work with them separately?


    Absolutely and Yes. Use the "Install On" column to target each policy for
    which firewall it should be installed on. All of the object definitions are
    shared between all policies, so you won't have to redefine them for each
    policy.

    > 2) does a firewall receive a policy containing only the rules referring to
    > it or every policy defined and then it check only its rules ?


    Depends on what you have set in the "Install on" field. You actually can
    create one massive policy and use the "Install on" field to put only certain
    rules on certain firewalls. That is a mess to figure out when looking at it,
    though.

    > 3) is better to have one big rule grouping a lot of host, network and
    > services or more simple rules (with few objects for each one) ?


    Groups will evaluate faster than listing the individual objects. That being
    said, I doubt you would notice much difference on modern hardware. 85 rules
    is not a lot.

    What kind of bandwidth are you talking about and what kind of hardware?

    If you want to go through the hassle, you could set up SmartView Reporter
    and get an eval license. One of its canned reports shows you which rules are
    accessed how much.

    Ray

    >
    > Thanks
    > Riccardo
    >
    > --
    > --------------------------------------------------------
    > - Togli NO SPAM per rispondermi direttamente -
    > --------------------------------------------------------
    > - http://www.riccardofontana.it/ -
    > --------------------------------------------------------
    > - -
    > - Monsieur Perrier: "Lei cosa ne pensa ?" -
    > - MrWong: "Io perplesso." -
    > - Alce: "Io SONO perplesso... ci vorra' un -
    > - verbo qualche volta.... lei mi porta -
    > - alla PAZZIA !!!!!! -
    > - -
    > --------------------------------------------------------




  4. Re: Optimizing rule base on Checkpoint Firewalls

    Jay wrote:
    >> 1) is it possible/advisable to define different policy packages for
    >> different firewalls and work with them separately?

    >
    > Absolutely and Yes. Use the "Install On" column to target each policy for
    > which firewall it should be installed on. All of the object definitions are
    > shared between all policies, so you won't have to redefine them for each
    > policy.
    >


    I'm already using "Install On" column a lot. Most of the rules are installed
    only on external or internal firewall. I'd like to know if a firewall receive
    only a package of rule regarding what has been specified on the "install on" column.

    >> 2) does a firewall receive a policy containing only the rules referring to
    >> it or every policy defined and then it check only its rules ?

    >
    > Depends on what you have set in the "Install on" field. You actually can
    > create one massive policy and use the "Install on" field to put only certain
    > rules on certain firewalls. That is a mess to figure out when looking at it,
    > though.
    >
    >> 3) is better to have one big rule grouping a lot of host, network and
    >> services or more simple rules (with few objects for each one) ?

    >
    > Groups will evaluate faster than listing the individual objects. That being
    > said, I doubt you would notice much difference on modern hardware. 85 rules
    > is not a lot.
    >
    > What kind of bandwidth are you talking about and what kind of hardware?
    >


    We are talking about Sun 220R with 1 gigabyte of ram, quad FastEthernet adapter
    ad a single sparc II processor. Bandwith for outside connections is a 34 Mbps.
    The performance problem affect mainly the internal firewall that need to manage
    3 Fastethernet connections.

    > If you want to go through the hassle, you could set up SmartView Reporter
    > and get an eval license. One of its canned reports shows you which rules are
    > accessed how much.
    >


    I've already created a tool with php/mysql to import and analyze the firewall
    logs. :-)



    --
    --------------------------------------------------------
    - Togli NO SPAM per rispondermi direttamente -
    --------------------------------------------------------
    - http://www.riccardofontana.it/ -
    --------------------------------------------------------
    - -
    - Monsieur Perrier: "Lei cosa ne pensa ?" -
    - MrWong: "Io perplesso." -
    - Alce: "Io SONO perplesso... ci vorra' un -
    - verbo qualche volta.... lei mi porta -
    - alla PAZZIA !!!!!! -
    - -
    --------------------------------------------------------

  5. Re: Optimizing rule base on Checkpoint Firewalls

    On Fri, 29 Dec 2006 13:17:08 +0100, Dogbert
    wrote:


    >
    >Actually we have 4 different firewalls (Checkpoint NG with AI), 2 for perimetral
    >security and the other 2 for intranet security and we are using a total of 85
    >rules (some of them are applied only to specific firewalls while others are
    >applied to all the systems).


    85 rules spread over 4 firewalls is not a big rule base.


    > All this is managed from a central Management console.
    >
    >I'd like to know how checkpoint work through the rulebase.
    >I already know that they are checked sequentially until a rule is matched, but i
    >need more information to fine-tune this process.
    >
    >1) is it possible/advisable to define different policy packages for different
    >firewalls and work with them separately?


    Yes, from a change management perspective such an approach is preferable.



    greg
    --
    "He's raising an unholy army of singing dinosaurs!"

  6. Re: Optimizing rule base on Checkpoint Firewalls

    > I'm already using "Install On" column a lot. Most of the rules are
    > installed only on external or internal firewall. I'd like to know if a
    > firewall receive only a package of rule regarding what has been specified
    > on the "install on" column.


    Yes.

    > We are talking about Sun 220R with 1 gigabyte of ram, quad FastEthernet
    > adapter ad a single sparc II processor. Bandwith for outside connections
    > is a 34 Mbps. The performance problem affect mainly the internal firewall
    > that need to manage 3 Fastethernet connections.


    Sorry, I'm not familiar with Sun hardware. I'm running similar bandwidth on
    a Nokia (BSD) with a 700 MHz P-III and 1 GB of RAM and I have no performance
    issues.

    What performance issues are you seeing?

    Ray



+ Reply to Thread