Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
username1234
New Contributor

Created on ‎02-27-2020 02:29 AM

How important is IPv4 Policy sequence order?

Lets say a firewall needs to go through 100 entries in the IPv4 Policy list before hitting the right one, is this slowing the traffic down significantly or is it not a noticeable difference

 

If the policy with the most traffic is at the bottom of this 100 entries, would you notice a performance difference if you moved it up to the top of the list?

4086
0 Kudos
3 REPLIES 3
rwpatterson
Valued Contributor III

Created on ‎02-27-2020 06:19 AM

I'm not sure about performance, but the policies are read from the top down. First good one gets the traffic. If the lowest policy is getting the most hits and you move it to the top, it will 'steal' all of the traffic, negating the more specific ones before it. VERY BAD! I would concentrate less on the performance hit and make very concise streamlined policies. These firewalls are very fast and robust. Somewhere out there are spec sheets that tell now many connections each model is capable of. Chances are you aren't near that number. Find the spec sheet and look for yourself.

 

My two cents

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2888
0 Kudos
emnoc
Esteemed Contributor III
In response to rwpatterson

Created on ‎02-27-2020 07:39 AM

I don't think the number of policies and when it matches is going to hurt performance or even be notice. so 10 100 1000 or 10000 polices before it finds your specific policy is going to make a impact of "0"

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2888
0 Kudos
Johan_Witters
Contributor
In response to emnoc

Created on ‎02-28-2020 12:19 AM

Hi,

 

the sequence order of the policies is very important as the Fortigate processes all policies top down until it finds a match. As this is the first match, not the optimal match it is important to get your sequence right. If you have a policy applying AV to all smtp traffic, you want to have it above any policies with the "any" service...

 

The number of policies will affect the performance of the firewall, so it is important to keep the amount of policies low. However, unless you have 10K policies, I doubt you will ever notice anything.. :)

 

 

Johan

 

 

Johan Witters

Network & Security Engineer

FCNSP V4/V5

 

BKM NV

Johan Witters Network & Security Engineer FCNSP V4/V5 BKM NV
2888
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.