Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Packet Flow across the firewall

Packet Flow across the firewall 11 years 6 months ago #8363

  • Dhruv
  • Dhruv's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
Hi guys...
I m new to the checkpoint firewall and i wants to know how the packet is treated when it reaches the EM and what all things are checked in which order.

I've worked with NS firewall and in that the packet flow is in the below mentioned order:
1. Existing session lookup.
2. Policies related to Static Mapping
3. Routing
4. Policies

Ofcourse the checkpoint firewall must also be having such packet flow...so can anyone tell me wats the order of checking....

Regards,
Dhruv
The administrator has disabled public write access.

Checkpoint 11 years 6 months ago #8365

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
I've just been on the Checkpoint Admin course and have a diagram in the book that explains this completely. The snag is that the book is at home! I'll bring it into work and post the details next week
The administrator has disabled public write access.

Book 11 years 6 months ago #8464

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
Aarrgh! I'm back in the office but I forgot the book again. Must be something to do with age...
Will try to remeber tomorrow
The administrator has disabled public write access.

Packet Flow 11 years 6 months ago #8487

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
Okay, TheBishop comes good at last...
Here's the description of packet flow through the inspection engine as taken from the Firewall-1 training course:

1) Packet comes in
2) Address spoofed? If yes, discard
3) Apply any NAT transformation
4) IP options flags set? If yes, discard
5) Does packet match first rule?
- if yes, do what rule says then move on to consider next packet
- if no, move on to next rule
6) If no more rules left, discard the packet

Notes:
a) Although NAT generally occurs at step 3) as shown, you can configure it to happen last of all, after the packet has been processed through the rules. If you do that, it will have to pass through the rules again to see if they allow the new packet to be output. Most people don't set it up this way as it's confusing and harder to work with
b) Note that there are user defined rules and implicit or hidden rules created by the firewall. It is the entire rulebase, which includes both, that is checked from absolute top to absolute bottom
c) Order of rules in the rulebase makes all the difference
d) The firewall can discard (silently drop) or reject (send back an icmp rejection)
e) There is an implied (can't see it anywhere but it exists) 'drop all' "rule" at the end of the rulebase. But most people create their own explicit "real" rule for this because you can't log from the implied rule

Hope that helps!
The administrator has disabled public write access.

CheckPoint packet flow 11 years 6 months ago #8503

  • xxradar
  • xxradar's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
Hy Guys,
the explantion in the Check Point book is not totally correct or at least a very simplistic explanation. I've work years with the product and made some slides myself. www.radarhack.com/dir/checkpoint

I've you get used with the "fw monitor" command you can easily understand how everyting works. you can dump the output of fw monitor in to a file with -o switch. THen you can read it with ethereal or fwethereal (somewhere on the public accessible Check Point website)....

Hope the info is usefull.
xxradar
The administrator has disabled public write access.

Checkpoint 11 years 6 months ago #8514

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
xxradar, thanks for making those files available, there is some meaty info in there which I will have a chew on. The info I posted is straight out of the book that you get when you go on the Checkpoint Firewall Admin-1 course. Always goes to show there is more to every subject than the bits they tell you about...
The administrator has disabled public write access.
Time to create page: 0.079 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup