I’ve entered quite a big firewall group, blacklisting net scanners, up to 1k hosts in it:
sh fire group address-group | wc -l
1000
and realized that config became too big for smooth mounting. It takes about 5 minutes stacking on mounting over a bare metal host with 2G RAM. Despite, frankly, it says “Mounting…done” before “Configuration success”. What if I enter over 5K records, or several network groups? Is it ok and behaves as expected, or I’m braking a good firewall practice with such a clumsy straight blocking approach?
Vyos does tend to slow down if you’re adding thousands and thousands of lines of config. You are much better off if you need to add heaps and heaps of hosts to use empty “network-groups” and then to populate them via the CLI using some other method.
This disadvantage of this of course is that “show configuration” won’t reflect everything in your config.
Anyway an example of what I mean is available here. I use this script to block incoming traffic if it’s in known blacklists. When I do a “show config” in my router I don’t see the IP’s in the list though, I have to look at the ipset command to see what’s actually being blocked.