Is your firewall overloaded? Symptoms include high CPU, low throughput and slow applications. Before upgrading your hardware, it is worth checking whether the firewall configuration can be optimized.
Optimization techniques can be divided into two groups - general best practices, and vendor-specific, model-specific configurations. This column focuses on best practices. Next time, we will look at vendor-specific tips, so if you have any to share, we would like to hear from you.
Optimizing firewalls for better performance and throughput:
- Remove bad traffic and clean up the network. Notify server administrators about servers hitting the firewall directly with outbound denied DNS/NTP/SMTP/HTTP(S) requests as well as dropped/rejected internal devices. The administrators should then reconfigure the servers not to send this type of unauthorized outbound traffic, thereby taking load off the firewall.
- Filtering unwanted traffic can be spread among firewalls and routers to balance the performance and effectiveness of the security policy.Identify the top inbound dropped requests that are candidates to move upstream to the router as ACL filters. This can be time consuming, but it is a good method for moving blocks upstream to the router and saving firewall CPU and memory. If you have an internal choke router inside your firewall, also consider moving common outbound traffic blocks to your choke routers, freeing more processing on your firewall.
- Remove unused rules and objects from the rule bases.
- Reduce rule base complexity - rule overlapping should be minimized.
- Create a rule to handle broadcast traffic (bootp, NBT, etc.) with no logging.
- Place the heavily used rules near the top of the rule base. Note that some firewalls (such as Cisco Pix, ASA version 7.0 and above, FWSM 4.0 and certain Juniper Networks models) don't depend on rule order for performance since they use optimized algorithms to match packets.
- Avoid DNS objects requiring DNS lookup on all traffic.
- Your firewall interfaces should match your switch and/or router interfaces. If your router is half duplex your firewall should be half duplex. If your switch is 100 Mbit your firewall interface should be hard-set to match your switch; both should most likely be hard-set to 100 Mbit full duplex. Your switch and firewall should both report the same speed and duplex mode. If your switch is gigabit, your switch and firewall should both be set to auto-negotiate both speed and duplex. If your gigabit interfaces do not match between your firewall and switch, you should try replacing the cables and patch panel ports. Gigabit interfaces that are not linking at 1000 Mbit full duplex are almost always a sign of other issues.
- Separate firewalls from VPNs to offload VPN traffic and processing.
- Offload UTM features from the firewall: AV, AntiSpam, IPS, URL scanning.
- Upgrade to the latest software version. As a rule of thumb, newer versions contain performance enhancements but also add new capabilities, so a performance gain is not guaranteed.
If you use Tufin SecureTrack, you can automate a number of these tasks.
Here are a few ways that SecureTrack can help:
- Identify unused rules and objects with the Rule and Object Usage Report, and consider removing them. The longer the reporting period, the more reliable the rule usage status will be. Remember that certain rules, like the ones allowing disaster recovery services, are only used rarely. You can also identify and cleanup unused group members.
- Analyze rule shadowing with Policy Analysis. Run Policy Analysis with "Any;Any;Any;Any" to identify completely shadowed rules. These rules are redundant and should be deleted. You can re-validate the redundancy with an unused rules report.
- Identify the most-used rules with the Rule and Object Usage Report and move them up in the rule base hierarchy. To find the top-most location for placing a rule without affecting connectivity, run an "Any;Any;Any;Any" policy analysis query, then, for each most-used rule:If it is not shadowed, move it to any higher location. If it is shadowed, find the lowest-ranked shadowing rule with a contradictory action and place the most-used rule below that one.
- Other things to keep in mind when re-ordering rules:You'll probably want to preserve the rule base structure, for example, rule grouping by service or application, source or destination, projects etc. Be careful with policies containing rules with special actions such as authentication or encryption - shadowing becomes more tricky in this case.
- You may also use the Best Practices Rule Order Optimization test to quickly identify candidates for relocation.
- Use the Automatic Policy Generator (APG) to identify and remove unwanted traffic from the firewall. Read more about APG here.
- Use the "Software Version Compliance Report" to control your firewall software versions.
Last but not least, remember that optimization can have a price, too - beyond the time you've invested. If you are not careful, you can wind up with a rule base which is too difficult to maintain. If you have the budget, there are times when upgrading the hardware is the easiest alternative.
In our next column, we’ll focus on ways to optimize specific models of firewalls from the different vendors, Vendor and model-specific tips for optimizing firewall performance - Tufin Firewall Expert Tip #4. If you have any tips that you would like to share, please contact me at firstname.lastname@example.org.