![background image](http://html1.mh-extra.com/html/3com/3cr990/3cr990_administration-manual_3104117054.webp)
4
Managing Policies
48
When a packet arrives at an EFW NIC, the ACL is processed by stepping through the list
of rules from first to last until a match is found. Usually, once a match is found and the
appropriate action is taken, the process is complete. However, you may configure the policy
to ignore specific rules or rule sets, and continue processing for subsequent rule matches
using the Test Mode feature.
Organizing Rules for Optimum Performance Within a Policy
The order in which you organize rules and rule sets determines how efficiently a packet
is processed. Filtering is generally completed once a rule match is found. Therefore, by
placing the most commonly matched rules near the beginning of an ACL, you can reduce
the time spent filtering, which increases performance. Understanding the network traffic
characteristics for your secured computer helps you determine which rules most often
match packets.
Determining the Size of a Policy
The memory capacity of a NIC places certain limitations on the size of the policy that it can
enforce. Therefore, you must consider the policy size when configuring policies for NICs.
The number of rules in a policy’s ACL provides a rough estimate of the policy size. The
configuration of your policy settings can also increase the policy size slightly. A desktop
NIC can handle a policy up to size 64. A server NIC can handle a policy up to size 128.
The information below provides guidelines for calculating the size of a policy:
■
Selecting the No Spoofing
policy setting increases the policy size by 1 for each IP
address for the EFW device.
■
Selecting the Allow Fragmented IP Packets policy setting increases the policy size by 1.
■
De-selecting the Allow Fragmented IP Packets policy setting increases the policy size by 2.
■
De-selecting the Allow IP Options policy setting increases the policy size by 1.
■
Each rule in the policy ACL that
does not
list “EFW Device IP” or a host name as the
Source IP or Destination IP increases the policy size by 1. (If the policy does list EFW
Device IP or a host name in the Source IP or Destination IP, but the NIC and/or host
has only a single IP address, the policy size is increased by 1.)
■
For each rule in the policy ACL that lists “EFW Device IP” or a host name as the
Source IP or Destination IP, when at least one of the computers has more than one
IP address, use the following equation: if the Source IP has
n
IP addresses, and the
Destination IP has
m
IP addresses, multiply
n
by
m
to determine how much a rule
increases the policy size. Therefore, the policy size for a single policy may be larger
in size when it is enforced on a NIC that has multiple IP addresses than when it is
enforced on a NIC that has only one IP address.
NOTE:
The default rule does not use any space on the NIC.
NOTE:
The policy size is not affected by the
Direction field for a rule (that is, In,
Out, or Both).