Thread: Rule processing order
View Single Post
  #3 (permalink)  
Old 2008-05-02
kj1978 kj1978 is offline
Junior Member
  
Join Date: 2005-10-13
Posts: 6
Rep Power: 0
kj1978 has an average reputation (10+)
Default Re: Rule processing order
Barry,

Many thanks for your reply.

I tend to think that following processing order is correct :

1.Anti spoofing checks
2. "First" implicit rules
3.Explicit rules (except for the final rule)
4."Before last" implicit rules
5. Last explicit rule (cleanup rule)
6. "Last" implicit rule
7. Network address translation

From a practical experience, The reason for this is as follows :

I have a host 10.1.1.1 which needs to talk to a host 203.90.1.1 over internet.

In the checkpoint rulebase, i have following:

Source Destination service install on
10.1.1.1 203.90.1.1 http/https gateway

In the NAT rulebase i have following :

Original Packet Translated Packet
Source Destination service source Destination install on
10.1.1.1 203.90.1.1 any 57.67.2.1 203.90.1.1 gateway

This is working fine for me and hence based on this, it seems obvious that explicit and/or implicit rules are being processed before NAT rules.

Let me know what you think ? If you are aware of any scenarios where NAT rules are processed before implicit/explicit rules, please do let me know.

Thanks again for your time.

Regards
KJ
Reply With Quote