Re: ofiller.exe and address ranges

Hi,

< We noted that NAT rules were never matched. Then we
found that groups
< and ranges get expanded for NAT rules.

I don't want to use these ip range objects in our NAT rules.
We just need 
them in our security rulebase. So, would there any problems
using them in 
the security rulebase? Otherwise we have to create more than
6000 node 
objects...

Mit freundlichen Gruessen - Best regards

Thorsten Mandau




Hugo van der Kooij <hvdkooijVANDERKOOIJ.ORG> 
Sent by: Mailing list for discussion of Firewall-1 
<FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
18.10.2007 11:15
Please respond to
Mailing list for discussion of Firewall-1 
<FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>


To
FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
cc

Subject
Re: [FW-1] [SPAM] [FW-1] ofiller.exe and address ranges






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bazauas bazueta wrote:
> Hugo,
> 
> You said that CP rules are written for the individual
addresses and that 
the CPU/fw resources suffers by the use of address ranges
and/or network 
objects.
> That's true only for SmartCenter Server resources or it
is also true for 
fw nodes?

I have investigated the issue in lenght in the 4.1 days. But
I guess
this has remained pretty much the same in this regard.

We noted that NAT rules were never matched. Then we found
that groups
and ranges get expanded for NAT rules.

So a group of 8 networks against a group of 8 networks in a
NAT rule
becomes 64 NAT rules efectively. So guess what happens if
you do this
with 2 groups of 150 networks? ......

It takes ages to compile 22500 NAT rules.

You also run out of NAT rules and some NAT rules in effect
never existed.

With NGX the tables sizes are more dynamic. But they can
still grow too
large to be practical.

So be carefull if you use a ALL_LOCAL_NETWORKS group object
in your NAT
rules. We use(d) to use a manual NAT rule to specify this
group as
source and destination to prevent NAT on local traffic.

These days we prefer to use explicit groups just for this
purpose and
supernet as much as possible. So we use 10.0.0.0/8 instead
of a bunch of
10.X.Y.Z/24 networks.

> Does SmartCenter Server "breaks" network
objects into host objects 
during compilation (like a /24 network object into 256 hosts
objects)? 
> 
> Do you have access to data that correlates the use of
this type of 
objects with fw performance?

Not for a while. I will only return to the office next week.
And doing
research just for kicks is not likely to happen soon with a
backlog of 3
weeks waiting on monday.

Hugo.

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHFyQzBvzDRVjxmYERAqc4AJwKAcc+WvToF04dMDOXkhYPWu5kBgCf
VTtS
TBb4VnaJaFiyWRH3j0IS8s4=
=l79a
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

Thorsten Mandau wrote:
> Hi,
> 
> < We noted that NAT rules were never matched. Then
we found that groups
> < and ranges get expanded for NAT rules.
> 
> I don't want to use these ip range objects in our NAT
rules. We just need 
> them in our security rulebase. So, would there any
problems using them in 
> the security rulebase? Otherwise we have to create more
than 6000 node 
> objects...

 From what Hugo says, you can use address ranges as it will
be expanded 
to individual IPs, so basically you get an automated way of
declaring 
6000 objects ;) kinky, no ? )

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

sin wrote:
> Thorsten Mandau wrote:
>> Hi,
>>
>> < We noted that NAT rules were never matched.
Then we found that groups
>> < and ranges get expanded for NAT rules.
>>
>> I don't want to use these ip range objects in our
NAT rules. We just
>> need them in our security rulebase. So, would there
any problems using
>> them in the security rulebase? Otherwise we have to
create more than
>> 6000 node objects...
> 
> From what Hugo says, you can use address ranges as it
will be expanded
> to individual IPs, so basically you get an automated
way of declaring
> 6000 objects ;) kinky, no ? )

No. You get the ranges. Wether or not the resulting policy
will expand
all of it in binary form is something I have not tested. But
I would
expect that at some point during compilation they are in act
expanded.

So the only way to know this is to test it.

Hugo.

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHF71KBvzDRVjxmYERAhYqAJ9xGAnHkMkj0KRzR6tvaSZ0hAEUsQCg
keCP
zkEiS10J2jSnv3ZlvgOKZp4=
=3I+T
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================