How important is IPv4 Policy sequence order?

Forum|Forum|6 years ago
February 27, 2020
1 reply
5887 views

Lets say a firewall needs to go through 100 entries in the IPv4 Policy list before hitting the right one, is this slowing the traffic down significantly or is it not a noticeable difference

If the policy with the most traffic is at the bottom of this 100 entries, would you notice a performance difference if you moved it up to the top of the list?

rwpatterson

New Member

I'm not sure about performance, but the policies are read from the top down. First good one gets the traffic. If the lowest policy is getting the most hits and you move it to the top, it will 'steal' all of the traffic, negating the more specific ones before it. VERY BAD! I would concentrate less on the performance hit and make very concise streamlined policies. These firewalls are very fast and robust. Somewhere out there are spec sheets that tell now many connections each model is capable of. Chances are you aren't near that number. Find the spec sheet and look for yourself.

My two cents

emnoc

New Member

I don't think the number of policies and when it matches is going to hurt performance or even be notice. so 10 100 1000 or 10000 polices before it finds your specific policy is going to make a impact of "0"

Ken Felix

Johan_Witters

New Member

Hi,

the sequence order of the policies is very important as the Fortigate processes all policies top down until it finds a match. As this is the first match, not the optimal match it is important to get your sequence right. If you have a policy applying AV to all smtp traffic, you want to have it above any policies with the "any" service...

The number of policies will affect the performance of the firewall, so it is important to keep the amount of policies low. However, unless you have 10K policies, I doubt you will ever notice anything.. :)

Johan

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded