As part of the migration from legacy Risk Engine platforms to the Symantec Identity Security Platform, organizations often need to replicate complex IP restriction rules. A common configuration involves checking if a user belongs to a specific LDAP group and, if so, validating their login attempt against a whitelist of client-owned IP addresses.

There is a concern regarding whether a high volume of rules (e.g., 46 lists with over 2,200 IP entries) within a single authentication policy will cause significant latency or "expensive" processing overhead, particularly for high-traffic applications.

Product: IDSP

Release : 4.0

The short answer is: No, this configuration will not cause an unduly expensive performance hit. The Symantec Identity Security Platform utilizes Open Policy Agent (OPA) for policy evaluation. OPA is designed for high-performance, sub-millisecond evaluations. The performance is not dictated by the number of rules within a single policy, but rather the cumulative complexity and total number of rules across the entire environment.

Key Technical Considerations:

• Rule Density: Having 46 rules in one policy is well within the platform's operational thresholds. OPA uses efficient data structures (like trie-based lookups for IP ranges) that allow for near-constant time evaluation regardless of the list size.

• Throughput: Even with thousands of entries, the primary factor for latency is the resource allocation (CPU/RAM) provided to the OPA engine, not the logic of the IP comparison itself.

Validation & Monitoring Guidelines

While the logic itself is efficient, we recommend validating the environment's health post-migration to ensure the infrastructure is scaled correctly for your specific traffic volume.

1. Performance Benchmarks

A healthy policy evaluation should ideally occur in under 10ms. If your average response time exceeds this threshold, it typically indicates a resource bottleneck rather than a logic error.

2. Resource Utilization Thresholds

Monitor the OPA containers or instances for the following:

• CPU Usage: Should remain below 60% during peak traffic.

• Memory Usage: Should remain below 60% to avoid paging/swapping.

3. Recommended Scaling (High-Volume Environments)

For reference, environments handling over 10,000 policies of various types typically require the following resource allocation to maintain stability:

| Resource | Recommended Setting |

| CPU | 4 Cores | | Memory | 16 GB |

Best Practices & Concerns

• Consolidation: There are no inherent "concerns" with having many rules in one policy; however, ensure the LDAP group lookups are indexed. If the LDAP server experiences high latency during the "Group Membership" check, it will reflect as a delay in the Risk Engine evaluation.

• IP Formatting: Ensure IP ranges are CIDR-notated where possible to further optimize the evaluation engine.