troubleshooting Question

Number of firewall rules cause slowness? Firewall rules review to remove dormant rules

Avatar of sunhux
sunhux asked on
Software FirewallsHardware FirewallsNetwork Security
5 Comments2 Solutions177 ViewsLast Modified:
Our network team raised concern that with the number of IP addresses to block
(currently we create a group & add in IP addresses) coming from cyber regulator,
it may hog/slow down our CheckPoint 12600.

Q1:
What's the rule of thumb for max number of rules for 12600?  We estimated the
number of IP to block to reach 5000 per year.

Q2:
There's currently 1 rule ie "Deny Threat_intel_list All  for all ports/protocol":
So with only 1 rule but adding IP to the "Threat_intel_list" cause slowness or
by adding the # of IP to the list will increase the latency (make it slower) as well?

Q3: *** this question is crucial ***
We plan to break down that single rule to multiple rules ie 1 rule for 1 IP from
Threat Intel to block so that we can assess if there are hits & subsequently
assess whether to remove rules that don't have hits after, say 6 months so
as to reduce the # of rules & load to the firewall: is this a good practice in
terms of making the firewall faster?  In terms of cybersecurity, was advised
by one vendor this is a safe practice as IOCs that are 'dormant' ought to be
removed, just like AV vendors removed signatures for viruses that have not
been seen in the wild for quite a while to reduce the size/length of the AV
signature file/DB.

Q4:
To do firewall rules review (ie remove rules,  permit or block rules: permit as
it means the endpoint device may have been decomm'ed & block if the IOC
is not active), reckon we review if there are hits.  Heard Tuffin can't help if
we group IP addresses into a group, so what are the practices out there?
Break down to 1 IP to 1 rule or there are better tools?

Q5:
How do we verify the firewall is beginning to cause slowness due to its number
of rules:  can we do "ping across one zone to another zone" to measure?
Eg: compare it against a firewall that has minimal rules vs one with 90000 rules?

Q6:
Last but not least, can someone recommend a firewall that can take in 150,000
rules without performance impact & offer API where outsourced vendor could
add rules to block without having access to the firewall?


I've heard of one site's Cisco ASA that support more than 1 million rules but don't
know if it affects network performance.
ASKER CERTIFIED SOLUTION
David Favor
Fractional CTO
Join our community to see this answer!
Unlock 2 Answers and 5 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros