ofiller.exe and address ranges

Hugo,
 
You said that CP rules are written for the individual
addresses and that the CPU/fw resources suffers by the use
of address ranges and/or network objects.
That's true only for SmartCenter Server resources or it is
also true for fw nodes?
 
Does SmartCenter Server "breaks" network objects
into host objects during compilation (like a /24 network
object into 256 hosts objects)? 
 
Do you have access to data that correlates the use of this
type of objects with fw performance?
 
Regards, 
BB.
____________________________________________________________
_____
Explore the seven wonders of the world
http://search.msn.com/results.as
px?q=7+wonders+world&mkt=en-US&form=QBRE
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bazauas bazueta wrote:
> Hugo,
>  
> You said that CP rules are written for the individual
addresses and that the CPU/fw resources suffers by the use
of address ranges and/or network objects.
> That's true only for SmartCenter Server resources or it
is also true for fw nodes?

I have investigated the issue in lenght in the 4.1 days. But
I guess
this has remained pretty much the same in this regard.

We noted that NAT rules were never matched. Then we found
that groups
and ranges get expanded for NAT rules.

So a group of 8 networks against a group of 8 networks in a
NAT rule
becomes 64 NAT rules efectively. So guess what happens if
you do this
with 2 groups of 150 networks? ......

It takes ages to compile 22500 NAT rules.

You also run out of NAT rules and some NAT rules in effect
never existed.

With NGX the tables sizes are more dynamic. But they can
still grow too
large to be practical.

So be carefull if you use a ALL_LOCAL_NETWORKS group object
in your NAT
rules. We use(d) to use a manual NAT rule to specify this
group as
source and destination to prevent NAT on local traffic.

These days we prefer to use explicit groups just for this
purpose and
supernet as much as possible. So we use 10.0.0.0/8 instead
of a bunch of
10.X.Y.Z/24 networks.

> Does SmartCenter Server "breaks" network
objects into host objects during compilation (like a /24
network object into 256 hosts objects)? 
>  
> Do you have access to data that correlates the use of
this type of objects with fw performance?

Not for a while. I will only return to the office next week.
And doing
research just for kicks is not likely to happen soon with a
backlog of 3
weeks waiting on monday.

Hugo.

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHFyQzBvzDRVjxmYERAqc4AJwKAcc+WvToF04dMDOXkhYPWu5kBgCf
VTtS
TBb4VnaJaFiyWRH3j0IS8s4=
=l79a
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================