Optimizing rule base on Checkpoint Firewalls

Hi everyone,

I'm managing some firewalls for our corporate lan and I'm trying to optmize the
current rulebase in order to have better performance and simplify the management
task.

Actually we have 4 different firewalls (Checkpoint NG with AI), 2 for perimetral
security and the other 2 for intranet security and we are using a total of 85
rules (some of them are applied only to specific firewalls while others are
applied to all the systems). All this is managed from a central Management console.

I'd like to know how checkpoint work through the rulebase.
I already know that they are checked sequentially until a rule is matched, but i
need more information to fine-tune this process.

1) is it possible/advisable to define different policy packages for different
firewalls and work with them separately?
2) does a firewall receive a policy containing only the rules referring to it or
every policy defined and then it check only its rules ?
3) is better to have one big rule grouping a lot of host, network and services
or more simple rules (with few objects for each one) ?

Thanks
Riccardo

--
--------------------------------------------------------
- Togli NO SPAM per rispondermi direttamente -
--------------------------------------------------------
- http://www.riccardofontana.it/ -
--------------------------------------------------------
- -
- Monsieur Perrier: "Lei cosa ne pensa ?" -
- MrWong: "Io perplesso." -
- Alce: "Io SONO perplesso... ci vorra' un -
- verbo qualche volta.... lei mi porta -
- alla PAZZIA !!!!!! -
- -
--------------------------------------------------------

Re: Optimizing rule base on Checkpoint Firewalls

Well i'll tell you dogbreath now thast you mentioned checkpoint as in checkpoint
software i am looking for various short sales starting around january 4th 2007. January
will be at least a 10 percent down month for the markets and the next couple of years
should see the dow give back at least half and the foreign markets give back at least
three quarters.

Dogbert wrote:

> Hi everyone,
>
> I'm managing some firewalls for our corporate lan and I'm trying to optmize the
> current rulebase in order to have better performance and simplify the management
> task.
>
> Actually we have 4 different firewalls (Checkpoint NG with AI), 2 for perimetral
> security and the other 2 for intranet security and we are using a total of 85
> rules (some of them are applied only to specific firewalls while others are
> applied to all the systems). All this is managed from a central Management console.
>
> I'd like to know how checkpoint work through the rulebase.
> I already know that they are checked sequentially until a rule is matched, but i
> need more information to fine-tune this process.
>
> 1) is it possible/advisable to define different policy packages for different
> firewalls and work with them separately?
> 2) does a firewall receive a policy containing only the rules referring to it or
> every policy defined and then it check only its rules ?
> 3) is better to have one big rule grouping a lot of host, network and services
> or more simple rules (with few objects for each one) ?
>
> Thanks
> Riccardo
>
> --
> --------------------------------------------------------
> - Togli NO SPAM per rispondermi direttamente -
> --------------------------------------------------------
> - http://www.riccardofontana.it/ -
> --------------------------------------------------------
> - -
> - Monsieur Perrier: "Lei cosa ne pensa ?" -
> - MrWong: "Io perplesso." -
> - Alce: "Io SONO perplesso... ci vorra' un -
> - verbo qualche volta.... lei mi porta -
> - alla PAZZIA !!!!!! -
> - -
> --------------------------------------------------------

Re: Optimizing rule base on Checkpoint Firewalls

> 1) is it possible/advisable to define different policy packages for
> different firewalls and work with them separately?

Absolutely and Yes. Use the "Install On" column to target each policy for
which firewall it should be installed on. All of the object definitions are
shared between all policies, so you won't have to redefine them for each
policy.

> 2) does a firewall receive a policy containing only the rules referring to
> it or every policy defined and then it check only its rules ?

Depends on what you have set in the "Install on" field. You actually can
create one massive policy and use the "Install on" field to put only certain
rules on certain firewalls. That is a mess to figure out when looking at it,
though.

> 3) is better to have one big rule grouping a lot of host, network and
> services or more simple rules (with few objects for each one) ?

Groups will evaluate faster than listing the individual objects. That being
said, I doubt you would notice much difference on modern hardware. 85 rules
is not a lot.

What kind of bandwidth are you talking about and what kind of hardware?

If you want to go through the hassle, you could set up SmartView Reporter
and get an eval license. One of its canned reports shows you which rules are
accessed how much.

Ray

>
> Thanks
> Riccardo
>
> --
> --------------------------------------------------------
> - Togli NO SPAM per rispondermi direttamente -
> --------------------------------------------------------
> - http://www.riccardofontana.it/ -
> --------------------------------------------------------
> - -
> - Monsieur Perrier: "Lei cosa ne pensa ?" -
> - MrWong: "Io perplesso." -
> - Alce: "Io SONO perplesso... ci vorra' un -
> - verbo qualche volta.... lei mi porta -
> - alla PAZZIA !!!!!! -
> - -
> --------------------------------------------------------

Re: Optimizing rule base on Checkpoint Firewalls

Jay wrote:
>> 1) is it possible/advisable to define different policy packages for
>> different firewalls and work with them separately?
>
> Absolutely and Yes. Use the "Install On" column to target each policy for
> which firewall it should be installed on. All of the object definitions are
> shared between all policies, so you won't have to redefine them for each
> policy.
>

I'm already using "Install On" column a lot. Most of the rules are installed
only on external or internal firewall. I'd like to know if a firewall receive
only a package of rule regarding what has been specified on the "install on" column.

>> 2) does a firewall receive a policy containing only the rules referring to
>> it or every policy defined and then it check only its rules ?
>
> Depends on what you have set in the "Install on" field. You actually can
> create one massive policy and use the "Install on" field to put only certain
> rules on certain firewalls. That is a mess to figure out when looking at it,
> though.
>
>> 3) is better to have one big rule grouping a lot of host, network and
>> services or more simple rules (with few objects for each one) ?
>
> Groups will evaluate faster than listing the individual objects. That being
> said, I doubt you would notice much difference on modern hardware. 85 rules
> is not a lot.
>
> What kind of bandwidth are you talking about and what kind of hardware?
>

We are talking about Sun 220R with 1 gigabyte of ram, quad FastEthernet adapter
ad a single sparc II processor. Bandwith for outside connections is a 34 Mbps.
The performance problem affect mainly the internal firewall that need to manage
3 Fastethernet connections.

> If you want to go through the hassle, you could set up SmartView Reporter
> and get an eval license. One of its canned reports shows you which rules are
> accessed how much.
>

I've already created a tool with php/mysql to import and analyze the firewall
logs. :-)



--
--------------------------------------------------------
- Togli NO SPAM per rispondermi direttamente -
--------------------------------------------------------
- http://www.riccardofontana.it/ -
--------------------------------------------------------
- -
- Monsieur Perrier: "Lei cosa ne pensa ?" -
- MrWong: "Io perplesso." -
- Alce: "Io SONO perplesso... ci vorra' un -
- verbo qualche volta.... lei mi porta -
- alla PAZZIA !!!!!! -
- -
--------------------------------------------------------

Re: Optimizing rule base on Checkpoint Firewalls

On Fri, 29 Dec 2006 13:17:08 +0100, Dogbert
wrote:


>
>Actually we have 4 different firewalls (Checkpoint NG with AI), 2 for perimetral
>security and the other 2 for intranet security and we are using a total of 85
>rules (some of them are applied only to specific firewalls while others are
>applied to all the systems).

85 rules spread over 4 firewalls is not a big rule base.


> All this is managed from a central Management console.
>
>I'd like to know how checkpoint work through the rulebase.
>I already know that they are checked sequentially until a rule is matched, but i
>need more information to fine-tune this process.
>
>1) is it possible/advisable to define different policy packages for different
>firewalls and work with them separately?

Yes, from a change management perspective such an approach is preferable.



greg
--
"He's raising an unholy army of singing dinosaurs!"

Re: Optimizing rule base on Checkpoint Firewalls

> I'm already using "Install On" column a lot. Most of the rules are
> installed only on external or internal firewall. I'd like to know if a
> firewall receive only a package of rule regarding what has been specified
> on the "install on" column.

Yes.

> We are talking about Sun 220R with 1 gigabyte of ram, quad FastEthernet
> adapter ad a single sparc II processor. Bandwith for outside connections
> is a 34 Mbps. The performance problem affect mainly the internal firewall
> that need to manage 3 Fastethernet connections.

Sorry, I'm not familiar with Sun hardware. I'm running similar bandwidth on
a Nokia (BSD) with a 700 MHz P-III and 1 GB of RAM and I have no performance
issues.

What performance issues are you seeing?

Ray