Home > Articles

  • Print
  • + Share This
This chapter is from the book

Performance Considerations

Because a good deal of the packet delay through the firewall is due to evaluating your security policy, it stands to reason that there are things you can do to make the process more efficient.

On the SmartCenter Server itself, defining the name to IP mapping in the local hosts file rather than through DNS can help performance. On Unix systems, this is /etc/hosts. In Windows, it is %SystemRoot%\system32\drivers\etc\hosts.

For the gateways, the following changes in your rule base will increase performance:

  • Log connections sparingly—Logging takes time to process, so don’t log what you don’t intend to read.

  • Minimize your rule base’s complexity—The more rules, the longer it takes to process. Complex rules, such as those with many objects inside, compile into a larger security policy too.

  • Use network objects or address ranges instead of multiple host objects—It’s easier to check whether an address falls within a network boundary than it is to check it against multiple host entries.

  • Put your high-traffic rules at the beginning—Rules are checked one by one, stopping at the first match, so make sure that the match happens early for frequently used rules.

In general, simplicity equals better performance, not to mention better security.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.