Firewall Rule Order - To optimize or not to optimize

I'm an administrator for a shipboard TMG 2010 server which acts as a proxy for client workstations to interact with a shipboard router (to acess external addresses). Our afloat LAN requires satellite communication so slow connections are normal and the current rule set is a bit of a mess in the organization department. Here is a synopsis of the setup:

  • 58 Total rules
  • ~1200 assets on our network
  • Most traffic leaves the firewall on rules 33-36
  • Server/Application specific rules are at the top of the list
  • Low priority users towards the bottom half

The question is it worth reshuffling the high traffic rules higher up over our server specific rules or is it best left as is?

In other words will reordering the rules have a noticeable effect?

Thanks in advance for any assistance.

June 12th, 2015 4:01am

To help TMG with the rule evaluation, you should order rules in the following way:

Most specific rules first, e.g. rules that specify the most paramters (protocol, users, source/destinations etc) to match which means that they are easy to evaluate.

Rules that are used very often should be higher up in the list if possible. Note that if they are less specific they should be after more specific rules.

Depending on the load on the system you may notice improvments. I've seen improvements in the processing on high load configurations where performance has improved after moving rules further up.

Another way of optimizing is to review your rule-set and see if there are rules that could be combined or removed in order to minimize the number of rules to evaluate.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 10:55am

Keep in mind that if you use authentication for certain Access Rules (web based), you might need a certain order to apply them.

June 17th, 2015 5:14pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics