- Posts: 1
- Thank you received: 0
Packet Flow across the firewall
19 years 6 months ago #8363
by Dhruv
Packet Flow across the firewall was created by Dhruv
Hi guys...
I m new to the checkpoint firewall and i wants to know how the packet is treated when it reaches the EM and what all things are checked in which order.
I've worked with NS firewall and in that the packet flow is in the below mentioned order:
1. Existing session lookup.
2. Policies related to Static Mapping
3. Routing
4. Policies
Ofcourse the checkpoint firewall must also be having such packet flow...so can anyone tell me wats the order of checking....
Regards,
Dhruv
I m new to the checkpoint firewall and i wants to know how the packet is treated when it reaches the EM and what all things are checked in which order.
I've worked with NS firewall and in that the packet flow is in the below mentioned order:
1. Existing session lookup.
2. Policies related to Static Mapping
3. Routing
4. Policies
Ofcourse the checkpoint firewall must also be having such packet flow...so can anyone tell me wats the order of checking....
Regards,
Dhruv
19 years 6 months ago #8365
by TheBishop
Replied by TheBishop on topic Checkpoint
I've just been on the Checkpoint Admin course and have a diagram in the book that explains this completely. The snag is that the book is at home! I'll bring it into work and post the details next week
19 years 6 months ago #8487
by TheBishop
Replied by TheBishop on topic Packet Flow
Okay, TheBishop comes good at last...
Here's the description of packet flow through the inspection engine as taken from the Firewall-1 training course:
1) Packet comes in
2) Address spoofed? If yes, discard
3) Apply any NAT transformation
4) IP options flags set? If yes, discard
5) Does packet match first rule?
- if yes, do what rule says then move on to consider next packet
- if no, move on to next rule
6) If no more rules left, discard the packet
Notes:
a) Although NAT generally occurs at step 3) as shown, you can configure it to happen last of all, after the packet has been processed through the rules. If you do that, it will have to pass through the rules again to see if they allow the new packet to be output. Most people don't set it up this way as it's confusing and harder to work with
b) Note that there are user defined rules and implicit or hidden rules created by the firewall. It is the entire rulebase, which includes both, that is checked from absolute top to absolute bottom
c) Order of rules in the rulebase makes all the difference
d) The firewall can discard (silently drop) or reject (send back an icmp rejection)
e) There is an implied (can't see it anywhere but it exists) 'drop all' "rule" at the end of the rulebase. But most people create their own explicit "real" rule for this because you can't log from the implied rule
Hope that helps!
Here's the description of packet flow through the inspection engine as taken from the Firewall-1 training course:
1) Packet comes in
2) Address spoofed? If yes, discard
3) Apply any NAT transformation
4) IP options flags set? If yes, discard
5) Does packet match first rule?
- if yes, do what rule says then move on to consider next packet
- if no, move on to next rule
6) If no more rules left, discard the packet
Notes:
a) Although NAT generally occurs at step 3) as shown, you can configure it to happen last of all, after the packet has been processed through the rules. If you do that, it will have to pass through the rules again to see if they allow the new packet to be output. Most people don't set it up this way as it's confusing and harder to work with
b) Note that there are user defined rules and implicit or hidden rules created by the firewall. It is the entire rulebase, which includes both, that is checked from absolute top to absolute bottom
c) Order of rules in the rulebase makes all the difference
d) The firewall can discard (silently drop) or reject (send back an icmp rejection)
e) There is an implied (can't see it anywhere but it exists) 'drop all' "rule" at the end of the rulebase. But most people create their own explicit "real" rule for this because you can't log from the implied rule
Hope that helps!
19 years 6 months ago #8503
by xxradar
Replied by xxradar on topic CheckPoint packet flow
Hy Guys,
the explantion in the Check Point book is not totally correct or at least a very simplistic explanation. I've work years with the product and made some slides myself. www.radarhack.com/dir/checkpoint
I've you get used with the "fw monitor" command you can easily understand how everyting works. you can dump the output of fw monitor in to a file with -o switch. THen you can read it with ethereal or fwethereal (somewhere on the public accessible Check Point website)....
Hope the info is usefull.
xxradar
the explantion in the Check Point book is not totally correct or at least a very simplistic explanation. I've work years with the product and made some slides myself. www.radarhack.com/dir/checkpoint
I've you get used with the "fw monitor" command you can easily understand how everyting works. you can dump the output of fw monitor in to a file with -o switch. THen you can read it with ethereal or fwethereal (somewhere on the public accessible Check Point website)....
Hope the info is usefull.
xxradar
19 years 6 months ago #8514
by TheBishop
Replied by TheBishop on topic Checkpoint
xxradar, thanks for making those files available, there is some meaty info in there which I will have a chew on. The info I posted is straight out of the book that you get when you go on the Checkpoint Firewall Admin-1 course. Always goes to show there is more to every subject than the bits they tell you about...
Time to create page: 0.132 seconds