Best practice for optimizing firewalls for maximum performance and throughput

02 March 2010

Are your firewalls overloaded? Symptoms of overloaded firewalls include high CPU, low throughput and slow applications. Before upgrading your hardware, it is worth checking whether or not your firewall configuration can be optimized. Here, Reuven Harrison CTO of Tufin Technologies gives firewall administrators some best practices for optimizing firewalls for maximum performance and throughput.

Configuration optimization techniques for firewalls can be divided into two groups: general best practices and vendor-specific, model-specific configurations. This article will focus on best practices. The following are eleven best practices for firewall administrators to use to optimize firewalls for better performance and throughput.

Best practice No. 1: Ensure outbound traffic is compliant with policies

Remove bad traffic and clean up the network. Bad traffic includes non-compliant, unauthorized or undesired traffic. Notify server administrators about servers hitting the firewall directly with outbound denied Domain Name System (DNS), NTP, SMTP, HTTP and HTTP Secure (HTTPS) requests, as well as dropped/rejected internal devices. The administrators should then reconfigure the servers not to send this type of unauthorized outbound traffic (thereby taking load off the firewall).

Resource Library:
Open Storage at Work: New Ways to Use Solid State Drives to Optimize System Perf
How to Improve MySQL Database Scalability
Virtual Desktop: Opportunities, Challenges, and Successful Deployment
Improving Application Delivery over WAN: Measure, Monitor, Manage

Best practice No. 2: Filter unwanted traffic on the router(s) instead of the firewall

Move the filtering rules for unwanted inbound traffic from the firewall to the edge router(s) to balance the performance and effectiveness of the security policy. To do this, first identify the top inbound dropped requests that are candidates to move upstream to the router as Standard Access Control List (ACL) filters. This can be a time-consuming process but it is a good method for moving blocks upstream to the router, thus saving firewall CPU and memory.

Then, if you have an internal choke router between your network and firewall, consider moving common outbound traffic blocks to your choke routers. This will free more processing on your firewall.

Best practice No. 3: Remove unused rules and objects

Remove unused rules and objects from the rule bases. While cleaning up an unwieldy rule base might sound like a daunting task, there are a variety of automated tools available that can assist with rule cleanup. These automated tools make firewall policy management a much more manageable endeavor.

Best practice No. 4: Reduce rule base complexity

Reduce rule base complexity and rule overlapping should be minimized. Again, there are tools available that can dramatically reduce the time and headache involved in cleaning up and simplifying the rule base.

Best practice No. 5: Handle broadcast traffic

If the firewall interface is directly connected to the LAN segment, you should create a rule to handle broadcast traffic (bootp, NetBIOS over TCP/IP, etc.) with no logging.

Best practice No. 6: Place the heavily used rules near the top of the rule base

Place the heavily used rules near the top of the rule base. Note that some firewalls (such as Cisco Pix, ASA version 7.0 and above, FWSM 4.0, and certain Juniper Networks models) don't depend on rule order for performance since they use optimized algorithms to match packets.

Best practice No. 7: Avoid DNS objects

Avoid objects requiring DNS lookups.

Best practice No. 8: Firewall interface settings should match switch and router settings

Your firewall interfaces should match your router and/or switch interfaces. If your router or switch is 100M bps half-duplex, your firewall should be 100M bps half-duplex. Your interfaces should be hard set to match; both should most likely be 100M bps full-duplex.

Your router/switch and firewall should both report the same speed and duplex mode. If your switch and firewall are both Gigabit Ethernet, they should both be set to auto-negotiate the speed and duplex. If your Gigabit interfaces do not match between your firewall and switch, you should try replacing the cables and patch panel ports. Gigabit interfaces that are not linking at 1000M bps full-duplex are almost always a sign of other issues.

Best practice No. 9: Separate firewalls from VPNs

Separate firewalls from VPNs to offload VPN traffic and processing.

Best practice No. 10: Offload features from the firewall

Offload Unified Threat Management (UTM) features from the firewall including: antivirus, antispam, intrusion prevention system (IPS), and URL scanning.

Best practice No. 11: Upgrade to the latest software version

Upgrade to the latest software version. As a rule of thumb, newer versions contain performance enhancements but also add new capabilities—so a performance gain is not guaranteed.

Tufin are exhibiting at Infosecurity Europe on 27th – 29th April at Earl’s Court, London, www.infosec.co.uk.