Re: ofiller.exe and address ranges

Hi all,

thank you for your input. I guess I won't take the risk of
getting into 
performance issues since this firewall is very critical.

Mit freundlichen Gruessen - Best regards

Thorsten Mandau






Hugo van der Kooij <hvdkooijVANDERKOOIJ.ORG> 
Sent by: Mailing list for discussion of Firewall-1 
<FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>
18.10.2007 22:08
Please respond to
Mailing list for discussion of Firewall-1 
<FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM>


To
FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
cc

Subject
Re: [FW-1] [SPAM] [FW-1] ofiller.exe and address ranges






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

sin wrote:
> Thorsten Mandau wrote:
>> Hi,
>>
>> < We noted that NAT rules were never matched.
Then we found that groups
>> < and ranges get expanded for NAT rules.
>>
>> I don't want to use these ip range objects in our
NAT rules. We just
>> need them in our security rulebase. So, would there
any problems using
>> them in the security rulebase? Otherwise we have to
create more than
>> 6000 node objects...
> 
> From what Hugo says, you can use address ranges as it
will be expanded
> to individual IPs, so basically you get an automated
way of declaring
> 6000 objects ;) kinky, no ? )

No. You get the ranges. Wether or not the resulting policy
will expand
all of it in binary form is something I have not tested. But
I would
expect that at some point during compilation they are in act
expanded.

So the only way to know this is to test it.

Hugo.

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHF71KBvzDRVjxmYERAhYqAJ9xGAnHkMkj0KRzR6tvaSZ0hAEUsQCg
keCP
zkEiS10J2jSnv3ZlvgOKZp4=
=3I+T
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thorsten Mandau wrote:
> Hi all,
> 
> thank you for your input. I guess I won't take the risk
of getting into 
> performance issues since this firewall is very
critical.

Hmm. I was required to do some troubleshooting into an issue
where a
policy installation resulted in a failover situation (VRRP
cluster).

I notice a few range objects being used. It seemed that the
use of a
range object of 0.0.0.0-255.255.255.255 or a network object
of
0.0.0.0/0.0.0.0 had the exact same inpact on the compiled
policy.

Neither of them exploded on this NGX R61 installation. The
policy
installed was not that extreem if you take into account it
was over 350
rules for a single cluster only.

So it seems optimalisation is used on those objects.
Propably along the
same type one can observe sometimes in the VPN-1 Edge VPN
topology
(/vpntop.html in the webinterface)

I would not insert 6000 object at once but do this in stages
so you can
see the impact and see at what point you notice impact on
the firewall.

What was weird by the way was that hourly tcl script on
Nokia going wild
 and consuming enourmous amounts of CPU time.

I am more and more convinced that flash based Nokia's are in
fact very
very evil. I rather risk a broken disk then having to run
IPSO, NGX and
swap on 1 GB flash drive. I think I will sleep much better
if we replace
all flash based Nokia's with disk based ones.

Hugo.

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of
conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHHQZmBvzDRVjxmYERAugGAJ47UY/nMpwA9fbibtpSomRE8RHHwwCf
WtHR
R2Nal7JNOWhI3S4k88gB7AE=
=rW9x
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

We NEVER recommend these to customers. Its usually easier
for us to
upgrade them to hard disk based units or replace them with
SPLAT,
instead of watching the customer hobble along with a broken
foot. The
only hope you have for one of these units is to purchase, or
insist that
you be given hard disks to add to the flash based units. Why
you would
want a unit with no storage capacity is beyond me. Maybe if
you are
putting the unit on the Space Shuttle, and there is some
kind of
friction/moving parts issue, but then again that's rocket
science, and
not my specialty.

Frank



-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM]
On Behalf Of Hugo
van der Kooij
Sent: Monday, October 22, 2007 4:22 PM
To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] [SPAM] [FW-1] ofiller.exe and address
ranges

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thorsten Mandau wrote:
> Hi all,
> 
> thank you for your input. I guess I won't take the risk
of getting
into 
> performance issues since this firewall is very
critical.

Hmm. I was required to do some troubleshooting into an issue
where a
policy installation resulted in a failover situation (VRRP
cluster).

I notice a few range objects being used. It seemed that the
use of a
range object of 0.0.0.0-255.255.255.255 or a network object
of
0.0.0.0/0.0.0.0 had the exact same inpact on the compiled
policy.

Neither of them exploded on this NGX R61 installation. The
policy
installed was not that extreem if you take into account it
was over 350
rules for a single cluster only.

So it seems optimalisation is used on those objects.
Propably along the
same type one can observe sometimes in the VPN-1 Edge VPN
topology
(/vpntop.html in the webinterface)

I would not insert 6000 object at once but do this in stages
so you can
see the impact and see at what point you notice impact on
the firewall.

What was weird by the way was that hourly tcl script on
Nokia going wild
 and consuming enourmous amounts of CPU time.

I am more and more convinced that flash based Nokia's are in
fact very
very evil. I rather risk a broken disk then having to run
IPSO, NGX and
swap on 1 GB flash drive. I think I will sleep much better
if we replace
all flash based Nokia's with disk based ones.

Hugo.

- --
hvdkooijvanderkooij.org               http://hugo.vanderkooij.
org/
PGP/GPG? Use: http://hug
o.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of
conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and
rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHHQZmBvzDRVjxmYERAugGAJ47UY/nMpwA9fbibtpSomRE8RHHwwCf
WtHR
R2Nal7JNOWhI3S4k88gB7AE=
=rW9x
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================