Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Address Objects which is more efficient Network VS Range

Regarding Address Objects, which is more efficient for a Sonicwall to process? A Network object or a Range object?

For example in the following example which would be more efficient for the SW, speed, cpu, and memory wise.

I need to cover all the IP's between 10.5.0.1 and 10.5.35.254 in an object.

As a Range Object I could create it with a range of 10.5.0.1 to 10.5.35.254.

As a Network Object i would have to create it as 10.5.0.0/18. (Which is 10.5.0.1 - 10.5.63.254)


Secondly, if the Range and Network were the same size which would be more efficient for the SW?

Category: Mid Range Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @MichaelB the answer could be probably answered only by a SNWL engineer who did some performance tests.

    But in my logic, Network should be faster than Range, because Network needs only simple AND, OR (or XOR) operations, while Range needs to do some more math (hopefully it's not implemented in string compares ;-)).

    E.g. Range 192.168.1.0 - 192.168.3.255
    Start (0+(1*256)+(168*256*256)+(192*256*256*256)
    End (255+(3*256)+(168*256*256)+(192*256*256*256)
    Bitshift is faster of course
    
    if IpToCheck >=  Start && IpToCheck <= End
    then IP is covered by Range Object
    

    I'am not sure if using a Network object includes the Broadcast Address as well. This is important if you got a usable "range" like 192.168.1.0-192.168.1.15. A long time ago the Access Rule with a Network object of 192.168.1.0/255.255.255.240 did not cover 192.168.1.15, I had to use a Range therfore.

    For 10.5.0.1 to 10.5.35.254 I wouldn't use a Network object because it's not within subnet limits.

    --Michael@BWC

  • @BWC LoL, we can only hope its not string compares...

    I know I have found a few articals like:

    That say:

    Range:

     Range Address Objects define a range of contiguous IP addresses. No Netmask is associated with Range Address Objects, but internal logic generally treats each member of the specified range as a 32-bit masked Host object...


    But couldn't find any metrics of speed/CPU/memory on different Address Object types. Or best practices on how to achieve the best efficiency for processing those different objects.

Sign In or Register to comment.