Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Andre_Backs
New Contributor

firewall rules efficency

Hi everyone, her is another starter question for you: which ruleset is processed more efficient: (goal of the ruleset is that anyone on the internet can reach 3 servers via either HTTP, HTTPS or SSH. The ruleset is fictuous) A) from: all to: server1, server2, server3 service: http, https,ssh (i.e. everything on 1 line but seperate firewall objects) B) from: all to: [server_group] service: [service_group] (like A but now we made a group of servers and a group of services) C) from: all to: server1 service: http from: all to: server1 service: https from: all to: server1 service: ssh from: all to: server2 service: http from: all to: server2 service: https from: all to: server2 service: ssh from: all to: server3 service: http from: all to: server3 service: https from: all to: server3 service: ssh (a seperate rule for each) Several variations can be made of course. I guess that it all depends on how the ruleset is built in memory. Is it interpreted for each packet (I sincerely hope not) or is it compiled What is your expert opinion please ?

ABB@ProBiblio Fortigate 200D (slave master)

ABB@ProBiblio Fortigate 200D (slave master)
4 REPLIES 4
Mark_Oakton
Contributor

B
Infosec Partners
Infosec Partners
Camshaft007
New Contributor

B

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
emnoc
Esteemed Contributor III

FWIW I think from efficiency,  it would not make a difference. From the number of policy-ids the less is always better.

I believe the  fortigate load and process the  policies so you would probably no notice anything.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
rwpatterson
Valued Contributor III

I would think A (marginally), only because the FGT would have to go to one less table to get the answer. (Not have break down the groups) Obviously C is the least efficient.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors