Firewall/Nat Rules, Entities And Performance - Allied Telesis AR Series Technical Manual

Selecting a Security Solution
downloaded and scanned, whereas Malware Protection scans content as it passes through, so that
the data is not held up waiting for the download to complete. As soon as Malware Protection
detects a threat within a stream of data, it immediately stops forwarding any more of the stream.
However, Malware Protection does not have the ability to serve an 'Access Denied' notification web
page to the user's browser. The user experience is simply that the download of a page stalls until it
eventually times out.
Not If both Anti-virus and Malware Protection are simultaneously running in the AR-Series firewall, then
together
typically Malware Protection would detect (and drop) any infected data before Anti-virus has a
chance to. This is because Malware protection checks the data as it is arriving, whereas Anti-virus
does not scan a piece of content until it has all been downloaded.
Note, also, that if both services are operating, then the 'Access Denied' web page will not be served
to the user's browser if Malware Protection detects the infection and Anti-virus does not get a
chance to see the infection.
Choose In general, a network administrator should choose to use one of Malware Protection or Anti-virus,
one
rather than both.
Malware Protection should be chosen if maximum throughput (with good security protection) is a
key business requirement for the device. Alternatively, the network administrator should consider
use of the Anti-virus feature if maximum protection (at the cost of slightly reduced throughput), and
explicit user notification, are the key business requirements.
The use of both Malware Protection and Anti-virus should be employed only if there is a need for
extremely high security. The sets of threats that the two services can detect have a high level of
overlap, but at any time each will likely detect a few threats that the other does not yet detect.
Employing both services together slightly expands the aggregate set of threats that will be detected,
with a very high throughput reduction.

Firewall/NAT Rules, Entities and Performance

The numbers of zone entities, networks entities, host entities and associated firewall and NAT rules
configured on an AR-Series firewall can also affect the Internet-access performance.
Firewall Each additional NAT or firewall application rule configured on an AR-Series firewall adds an
and NAT
additional milli-second latency to the start of each new session as the session's content is checked
rules
against each relevant rule. Once a flow is established, it is cached in an internal connection tracking
table, and not continually re-checked against the rules.
There is a configurable maximum of 500 NAT and/or Firewall rules combined to allow data for
various applications to flow between firewall entity definitions. However, the practical limit will
reduce as additional features are configured and used on the device, and depending on the system
resources available.
C613-22104-00 REV B
Advanced Network Protection
Firewall/NAT Rules, Entities and Performance
|
Page 32