Skip to main content
Kenundrum
Kenundrum
New Member
June 9, 2016
Question

Device based policy performance?

  • June 9, 2016
  • 1 reply
  • 5387 views

Does anyone know if device policies incur a performance penalty?

For example, if you have a policy with one source address, is there any reason not to also include the MAC address by including it in the source device type in the policy? Using the device identification and adding an alias to a detected device will allow you to select that specific MAC address as a device type and effectively create a rule where the source IP and source MAC must match in order to pass. Conceivably, since it is already scanning the header, comparing the mac address should be trivial. If someone is going to come out and say that it drops performance by 50%, then i may not decide to enable it on a bunch of policies 

 

The annoying thing is the mac address detection doesn't work consistently when the traffic has traversed a router, so it is only really viable for traffic originating on the same L3 subnet as the source interfaces.

    1 reply

    MikePruett
    MikePruett
    New Member
    June 9, 2016

    On a properly sized FortiGate there should be no issue handling this. I have not had any negative performance impacts when performing device based policy in my environments.

    emnoc
    emnoc
    New Member
    June 9, 2016

    The annoying thing is the mac address detection doesn't work consistently when the traffic has traversed a router, so it is only really viable for traffic originating on the same L3 subnet as the source interfaces.

     

    that's because layer3 devices swaps the  ether_addr of the host for that of the forwarding. That's why it's not beneficial to  use mac_address for detection IMHO and has many risks and expsoures

     

    e.g

     

    dynamic_mac ( i.e VMware )

    changing hardware

    etc...

     

    MikePruett
    MikePruett
    New Member
    June 9, 2016

    emnoc wrote:

    The annoying thing is the mac address detection doesn't work consistently when the traffic has traversed a router, so it is only really viable for traffic originating on the same L3 subnet as the source interfaces.

     

    that's because layer3 devices swaps the  ether_addr of the host for that of the forwarding. That's why it's not beneficial to  use mac_address for detection IMHO and has many risks and expsoures

     

    e.g

     

    dynamic_mac ( i.e VMware )

    changing hardware

    etc...

     

    Didn't even think of that when I originally read this thread. Spot on EMNOC!

    Terms & ConditionsAccessibility statement