Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 13211 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Maximum Rules Limitation

lferrara

Hi all,


it is a strange question, but does someone know what is the maximum number of rules the UTM supports?

I am talking about Packet Filtering rules.

I have installed UTM with more than 100 rules but I would like to know if there are some limitations (apart HW limits).

Thanks.


Luk



This thread was automatically locked due to age.
  • 0

    There isn't a hard maximum with iptables, but due to the way that packets are processed (iterating through every rule until a match is found), even on the most powerful hardware, with lots of traffic passing, if rules aren't tuned for performance (most commonly matched ordered to the top), the functional limit is around 1000.  This number has been an administrative nightmare for those systems I've seen with anything approaching it.  300 is a good upper end administrative limit to handle.

    Moved your post to the correct subject specific forum. Please don't post to General Discussion anymore unless it doesn't fit in any of the subject specific forum topics (same ones as Astaro.org). Thanks. :)

    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    Thank you Scott.
    So no way to compete with other big HW Firewall where Policy Rules override 10000 easily. I would like to know that because some big customer would like to test UTM but they have so many rules that as I thought UTM will not resist to this kind of installation.
    Really sad!!!!
    Hope XG with FastPath Packet and IPS per rules will give us more performance and a way to compete with other Competitor for higher installation.

    Thanks.
    Luk
  • 0 in reply to lferrara

    Luk,

    Are you sure that they have the equivalent of that many rules in the UTM?  A single Firewall rule in WebAdmin can generate dozens of line-item rules in the back end, and it's those lines that correspond to Cisco's rules.  For example, as I understand it, the following, single rule generates 119 lines of iptables code:

    If we had 4 internal subnets instead of one, it would generate almost 500.  It could take some effort, but don't give up without getting Sophos sales involved in the opportunity if you have a shot.

    Cheers - Bob

    PS I tried to send you a message, but couldn't.  Please change your Settings so that you can receive messages from everyone and then message me.  Thanks!

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thank you Balfson.

    I will contact Sophos Sales. So nobody has some big installation as I mentioned. I know that each rule can have multiple entries (services, source and destination) but there should be a limit inside the code.
    I changed my profile settings so you should be able to send me PM.

    Thanks.

    Luk
Unfiltered HTML