Selecting a Security Solution
In most situations, a single rule to masq any traffic from LAN to WAN is sufficient, without the need
to configure NAT masq rules for each individual application. There may typically also be a few NAT
port forwarding rules configured to allow external application traffic from the Internet to the public IP
address to be translated to reach the internal addresses of internal servers.
A few dozen firewall rules to allow or deny specific application traffic to flow from one entity to
another may also typically be configured.
Depending on what other features are in use on the device, as more rules are added, latencies for
sessions will progressively worsen, eventually resulting in TCP connection timeouts and associated
failure to load some website content. Also, as additional rules are configured, the time to load all the
rules on device startup may increase device startup time.
Entities
In terms of zones, the traditional three zone approach, that is, DMZ, private and public zones, covers
the vast majority of needs. However, the structure of an organization may dictate the configuration of
a larger number of zones.
The number of zone, network and host entities does not have any significant effect on forwarding
performance.
C613-22104-00 REV B
Advanced Network Protection
Firewall/NAT Rules, Entities and Performance
|
Page 33