This article discusses the Top ten tips that you can implement to best manage and

fine tune your firewall. The purpose of this article is to get the best performance out
of your firewall and increased security to your network.

1. Use the latest version of the OS software available for your particular firewall. Install
the latest patches and if possible/applicable, the latest software version available.

2. Use a stealth Rule at the top of the rule base.

What is a stealth rule? A stealth rule is a rule which disallows any communication to the
firewall itself from unauthorized networks/hosts. It is a rule to protect the firewall itself
from attacks.

3. Place the most commonly used or accessed rules on the top of the rule base. When a
packet reaches a firewall it gets checked against the rulebase of the firewall from top
down. Once it matches a rule, it is either accepted, denied or acted upon depending on
what the action defined is. So it is best to place the most accessed rules on top of the rule
base so that it need not get matched against all the rules in rule base. This would decrease
load on the firewall.

4. Keep the rulebase as simple as possible. Do not allow access to anything and
everything. Give access only if it is needed or required.

5. Use object groups where possible and combine similar rules into one rule. This would
keep the rule base short and simple and thus reduce the load on the firewall.

6. If your network is using VPN, then give preference to use AES 128 where ever
possible. Some firewalls like the popular Checkpoint Firewall, recommend AES 128 over
3DES and AES 256, in terms of firewall load and performance issues. Check with your
firewall manufacturer which encryption would provide best performance on the given
make, taking into consideration that security is also one of your main priorities.

7. Keep logging to a minimum. Example: If you have a couple of busy web servers, then
logging each and every http connection might bring in addition load onto the firewall and
also fill up the log server quickly.

8. Try to implement High Availability if your budget would allow that. This would reduce
the down time of your network considerably. If a firewall is down it would mean that
pretty much most of your operations are down. If High Availability is implemented, then
even if the primary were to fail, the secondary would take over. Firewall Clustering is
something which can provide your firewall both redundancy and load sharing. Check
with the manufacturer if it is available.

9. If there are too many VPN connections that need to connect to your network, then try
to get a dedicated VPN device. How many connections are too many connections? Check
the firewall manufacturer’s manual. Another way of doing it is checking the load on the
firewall – memory, cpu utilization etc.

10. End your rule base with a clean up rule or a ANY ANY DENY rule. Try to also log
this rule. This would assist you in analyzing the dropped connections in case you ever
attacked or even while simple troubleshooting.