The firewall is a vital part of the network. It acts as a barrier between the outside and the inside of your network. The firewall’s purpose is to prevent unauthorized users from accessing your data and services by blocking all unsolicited incoming traffic. This includes intrusions, viruses, worms, Trojans, and other malware.
Is your firewall overloaded with traffic? Symptoms include high CPU usage, low throughput, and sluggish applications. Before upgrading your hardware to a new version, it is worth checking if the firewall configuration can be improved.
Firewall optimization techniques are divided into two groups: general best practices, and model-specific configurations. Vendor-specific, model-specific configurations. This column focuses on best practices for firewall optimization. Next time, we’ll look at vendor-specific advice, so if you have anything to share, we’d like to hear from you!
Optimizing firewalls for better performance and throughput:
- Remove bad traffic and improve the network. Notify the server administrators about servers hitting your firewall directly with outbound DNS/NTP/email/SMTP/HTTP requests as well as dropped or rejected internal devices. The administrators should then configure the servers not to send the unauthorized outbound traffic, which will take a load off the firewall, and will also help to prevent the problem from happening again.
- Filtering unwanted traffic is usually spread among firewalls, routers, and other network devices to balance the performance and the effectiveness of the security policy in place. Identify the top requests that are candidates to be moved upstream to the router as access control filters. This can be a time-consuming process, but it is a great way to move blocks upstream to the router, saving firewall CPU and memory resources. If you have an external choke router inside your firewall and you want to free up more processing power on your firewall, you can also consider moving common outbound traffic blocks to your external choke routers.
- Remove unused rules and objects from the rule bases.
- Reduce firewall rule base complexity – rule overlapping should be minimized.
- Create a rule to handle broadcast traffic (boots, NBT, etc.) with no logging.
- Place the firewall policy rules that are used most often near the top of the firewall policy rules. Note that some firewalls (such as Cisco Pix and ASA versions 7.0 and above) don’t depend on the order of rules in the firewall configuration file for performance since they use optimized algorithms to match packets.
- Avoid DNS objects requiring DNS lookup on all traffic.
- For maximum firewall performance, you should match your firewall interfaces to your switch and/or your router interfaces. If your switch is half-duplex, your firewall should be half-duplex. If your router is 100 Mbit, your firewall interface should be set to 100 Mbit full-duplex. Your switch and firewall need to report the same speed and duplex mode. If your switch is Gigabit, your switch and your firewall should both be set for auto-negotiate. If your gigabit interface ports do not match between your switch and firewall, you should try replacing your cables and patch panel ports If a gigabit interface is not linking at 1000 Mbits full-duplex, it’s usually a sign of other issues, such as a faulty cable, a faulty port, or a faulty NIC.
- Separate firewalls from VPNs to offload VPN traffic and processing.
- Offload UTM features from the firewall: AV, AntiSpam, IPS, URL scanning.
- Upgrade to the latest software version. As a rule of thumb, newer versions contain performance enhancements but also add new capabilities, so a performance gain is not guaranteed.
Here are a few ways that Secure Track can help:
- Identify unused firewall policy rules and objects with the Rule and Object Usage Report, and consider removing them. The longer the reporting period, the more reliable the rule usage status will be. Remember that certain rules, like the ones allowing disaster recovery services, are only used rarely. You can also identify and clean up unused group members.
- Analyze rule shadowed with Policy Analysis. Run Policy Analysis with “Any; to identify completely shadowed rules. These rules are redundant and should be deleted. You can re-validate the redundancy with an unused rules report.
- Identify the most-used firewall policy rules: with the Rule and Object Usage Report and move them up in the rule base hierarchy. To find the top-most location for placing a rule without affecting connectivity, run an “Any;” policy analysis query, then, for each most-used rule: If it is not shadowed, move it to any higher location. If it is shadowed, find the lowest-ranked shadowing rule with a contradictory action and place the most-used rule below that one.
- Other things to keep in mind when re-ordering the rule base: You’ll probably want the rule base to be structured in a way that preserves the rule base structure, such as grouping by service or application or source or destination, projects, or tags, etc. Be careful with policies that contain rules with special actions such as authentication or encryption – shadow policies can become more tricky in this case.
- You can also use the Best Practices rule order optimization test to quickly identify candidates that are likely to be relocated.
- Use the Automatic Policy Generation (APG) tool to identify and remove unwanted web traffic from the firewall.
Finally, remember that firewall optimization comes with a price – beyond the time you have invested. If you are not very careful, you can end up with a rule base that is too difficult to maintain, and if you have the budget, you can always upgrade the hardware.
If you need to request cleanup you can contact the FixHackedSite support team.
Have you checked out our Free 25 Point Website Vulnerability and Performance Optimization Check?
It helps ensure your website is in tip-top shape. And it is free! Check it out now here: Free 25 Point Website Vulnerability and Performance Optimization Check