I am working with a client who has a FW-1 NG configured with 1100+ NAT rules and 1400+ access rules. They have done extensive testing to verify whether the number of rules which they have implemented has a perfomance impact - it seems not to- but I am trying to explain to them that sheer number of rules leads to a security problem - it is all but impossible to determine what the firewall is actually allowing/blocking with so many rules.

Anybody aware of any type of "official" docuement that suports my conjecture - that many rules will run but the security poilcy is difficult to validate.