Avatar of sunhux

asked on 

Number of firewall rules cause slowness? Firewall rules review to remove dormant rules

Our network team raised concern that with the number of IP addresses to block
(currently we create a group & add in IP addresses) coming from cyber regulator,
it may hog/slow down our CheckPoint 12600.

What's the rule of thumb for max number of rules for 12600?  We estimated the
number of IP to block to reach 5000 per year.

There's currently 1 rule ie "Deny Threat_intel_list All  for all ports/protocol":
So with only 1 rule but adding IP to the "Threat_intel_list" cause slowness or
by adding the # of IP to the list will increase the latency (make it slower) as well?

Q3: *** this question is crucial ***
We plan to break down that single rule to multiple rules ie 1 rule for 1 IP from
Threat Intel to block so that we can assess if there are hits & subsequently
assess whether to remove rules that don't have hits after, say 6 months so
as to reduce the # of rules & load to the firewall: is this a good practice in
terms of making the firewall faster?  In terms of cybersecurity, was advised
by one vendor this is a safe practice as IOCs that are 'dormant' ought to be
removed, just like AV vendors removed signatures for viruses that have not
been seen in the wild for quite a while to reduce the size/length of the AV
signature file/DB.

To do firewall rules review (ie remove rules,  permit or block rules: permit as
it means the endpoint device may have been decomm'ed & block if the IOC
is not active), reckon we review if there are hits.  Heard Tuffin can't help if
we group IP addresses into a group, so what are the practices out there?
Break down to 1 IP to 1 rule or there are better tools?

How do we verify the firewall is beginning to cause slowness due to its number
of rules:  can we do "ping across one zone to another zone" to measure?
Eg: compare it against a firewall that has minimal rules vs one with 90000 rules?

Last but not least, can someone recommend a firewall that can take in 150,000
rules without performance impact & offer API where outsourced vendor could
add rules to block without having access to the firewall?

I've heard of one site's Cisco ASA that support more than 1 million rules but don't
know if it affects network performance.
Software FirewallsHardware FirewallsNetwork Security

Avatar of undefined
Last Comment

8/22/2022 - Mon