Checkpoint Performance

You can do many things with rule base tuning that will make a big difference to increasing the throughput of a member. Tuning the rule base will also give you some major connections based performance as well. The types of things you need to do to a rule base to make it more efficient are as follows:
 

  1. Reduce the number of rules to a minimum.
  2. Try not to have rules that are sourced with group objects, destination group objects, because this will multiply out into individual rules when the policy is compiled. Instead, use network objects subnetted appropriately.
  3. Do not use group objects nested inside one another. Again, this causes the compiled rule base to have a large number of rules in it.
  4. Reduce the number of NAT rules to a minimum.
  5. Reduce the number of objects you reference in the rule base.
  6. Don’t use resource rules or user authentication unless you need to. The throughput of the security servers is not as fast as a straight stateful connection through the Firewall kernel.
  7. Place the most commonly accessed rules as close to the top of the rule base as you can get away with.
  8. Avoid using domain objects.
  9. Keep logging to a minimum on rules.

 

 

Tuning VPNs for throughput is a special case. You can always increase the overall performance of a VPN by making the member do less work to encrypt and decrypt packets, but this is usually at the price of security. For example, using weaker encryption strengths will reduce the security of encrypted packets, but it will mean that the firewall members have to do less work. Using perfect forwarding secrecy also causes a significant performance overhead, but changing this setting will reduce security.