Our Blog

Firewall efficiency can be significantly affected by the complexity of the firewall ruleset. If your ruleset has less than ten rules, it likely won't be an issue.

If, however, you have a more complicated ruleset, with 20,30, 100, or even several hundred rules, things can get interesting quickly.

Firewall rules are always evaluated in order. Many firewalls evaluate rules based on at least the ingress, and somtimes the egress port as well. It becomes important to determine the rules that are applied the most often, and place those rules at the top of the list.

These metrics are usually easy to obtain. All firewalls produce logs, which - more often than not - include the rule number being applied to traffic. Some even provide graphs of the most common traffic types or rules applied. By using this data, you can optimize you ruleset to put those rules at the top of the list.

Let's look at an example. In most configurations, internal to external web browsing and DNS lookups are the most common - often involving anti-virus scanning and/or web filtering. If 75 percent of the internal to external traffic are of this type, every time a new http session is created, the firewall must go through all the firewall policy rules that don't apply until it lands on the rule that allows the traffic to pass.

If the rule that allows the traffic to pass is number five on the list, that means each new session will waste firewall cycles as it attempts to apply the first four rules. If there are 100,000 http sessions created in one day, that means the firewall will waste cycles trying to match it to 400,000 that don't apply.

In conclusion, it is important to review your firewall rulesets on a regular basis. This not only allows you to make them more efficient, but also provides an opportunity to ensure that all of the rules are still appropriate according to your security policy.