We help IT Professionals succeed at work.
Get Started

Number of firewall rules cause slowness?  Firewall rules review to remove dormant rules

Last Modified: 2020-01-09
Our network team raised concern that with the number of IP addresses to block
(currently we create a group & add in IP addresses) coming from cyber regulator,
it may hog/slow down our CheckPoint 12600.

What's the rule of thumb for max number of rules for 12600?  We estimated the
number of IP to block to reach 5000 per year.

There's currently 1 rule ie "Deny Threat_intel_list All  for all ports/protocol":
So with only 1 rule but adding IP to the "Threat_intel_list" cause slowness or
by adding the # of IP to the list will increase the latency (make it slower) as well?

Q3: *** this question is crucial ***
We plan to break down that single rule to multiple rules ie 1 rule for 1 IP from
Threat Intel to block so that we can assess if there are hits & subsequently
assess whether to remove rules that don't have hits after, say 6 months so
as to reduce the # of rules & load to the firewall: is this a good practice in
terms of making the firewall faster?  In terms of cybersecurity, was advised
by one vendor this is a safe practice as IOCs that are 'dormant' ought to be
removed, just like AV vendors removed signatures for viruses that have not
been seen in the wild for quite a while to reduce the size/length of the AV
signature file/DB.

To do firewall rules review (ie remove rules,  permit or block rules: permit as
it means the endpoint device may have been decomm'ed & block if the IOC
is not active), reckon we review if there are hits.  Heard Tuffin can't help if
we group IP addresses into a group, so what are the practices out there?
Break down to 1 IP to 1 rule or there are better tools?

How do we verify the firewall is beginning to cause slowness due to its number
of rules:  can we do "ping across one zone to another zone" to measure?
Eg: compare it against a firewall that has minimal rules vs one with 90000 rules?

Last but not least, can someone recommend a firewall that can take in 150,000
rules without performance impact & offer API where outsourced vendor could
add rules to block without having access to the firewall?

I've heard of one site's Cisco ASA that support more than 1 million rules but don't
know if it affects network performance.
Watch Question
DarinTCHSenior CyberSecurity Engineer
This problem has been solved!
Unlock 2 Answers and 5 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE