Efficient Firewall Policy

ISA Server rules are evaluated in the order in which they appear in the firewall policy. The order of the rules affects not only the effective policy for your organization, but the efficiency with which the rules are evaluated. Since the first rule match ends the need to check additional rules, your firewall policy will work most efficiently if the rules that can be evaluated quickly, and are likely to result in a match, are placed near the top of the order.

For example, you may have rules that allow access to most users in your organization for requests that are very common. If you put those rules near the top of the rule order, those common requests will be evaluated quickly, without searching through the full rule base. If you can design that rule to depend on rule elements that can be evaluated quickly, such as IP addresses, rather than on more complex rule elements, such as domain name sets, you will increase the efficiency even more.

For more tips on firewall policy, see Best Practices Firewall Policy.

 

Nathan Bigman

ISA Server User Education

Comments

• Anonymous
  January 01, 2003
  The comment has been removed
• Anonymous
  June 15, 2006
  OK, is there any way that we can programmatically determine how many hits each rule is receiving to determine the best rule order?
• Anonymous
  June 29, 2006
  The comment has been removed
• Anonymous
  September 15, 2006
  I am looking for intructional manuals that details how the firewall can be used. I am looking for ways to restrict users into using only selected web sites and data bases that I can add to the firewall. Do you know where I can find these instructions or do you know how to do this?
  
  Thanks
  
  alcmac@hotmail.com