How to optimize your Firewall Rules in Astaro Security Gateway

  • Article ID: 115156
  • Updated: 28 Jun 2012


When Firewall rules are built, they are given an order of placement within the rule list. For example, there maybe 100 existing packet rules, and you choose to define one more. While defining it, you are asked to choose it's position on the packet filter list. Whether it be position 1, or 101, or something in between. 

Each time a packet arrives at the Astaro, it begins to compare it against the existing packet filter rules, beginning every time with the rule placed at number 1, and then goingdown the list  in numerical order until it finds the rule that the arriving packet matches with.When it finds a matching rule, the packet filter engine stops processing through the list and determines the destination of the packet, depending on the rule.

In order to enable  Astaro to be as efficient as possible in processing packet filter rules, it is a good idea to place packet filter rules that will be accessed often at the top of the packet filter rule list.

An example of the way packet filtering can be optimized is one concerning broadcast traffic. This type of traffic can be internal and in many instances comes from external sources. Many Astaro administrators choose to have a packet filter rule created that causes the Astaro to drop this traffic. Since broadcasting is common, we would want to make this one of the highest numbered rules in the packet filter base, so that the Astaro is not required to process an entire list of rules in order to match a broadcast packet to the broadcast packet filter rule.


 To move a drop broadcast packet filter rule to a higher position in the packet filter rule base.

1.WebAdmin>>Network Security>>Firewall>>Edit Rule
2.Click on the Position box to allow the menu to drop down.
3.Choose the position the rule will be moved to in the list.
5.The rule will now be moved to a higher numerical position on the packet filter rule base list.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent