Hi, we have an ASA 5510 with about 140 defined rules in the security policy.
In our company there are some complaints about the performance throughput from one network (inside) to another (dmz).
For example, we have a ecommerce platform that resides in the dmz but uses (at startup of the services only) a database that's on the inside network. When the services of these server applications are started, it takes about 1 hour and 20 minutes to load all data needed. When I connect one of these servers directly on our internal network, the startup only takes about 40 minutes. The amount of data transferred is estimated around 6 GB. The transfer is done by a Oracle client querying an Oracle database.
Is there any reason to believe that the firewall could be a bottleneck here? Too many rules?
Are some rules more cpu-intensive to handle than others?
We also have a builtin content security scanning appliance from trendmicro, but I configured the ASA to only inspect http and smtp traffic using this board.
The CPU on the firewall shows an average value of around 4% (also during the times the ecommerce applications are loading the data from the database.