 | ||
 Rule processing order | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
 |
| | LinkBack | Thread Tools | Display Modes |
 1 Week Ago | |||
| |||
 Rule processing order Hi Guys, I am bit confused with the way rule processing works on the firewall. CCSA examcram2 book says that rule processing works as below : 1.Anti spoofing checks 2. "First" implicit rules 3.Explicit rules (except for the final rule) 4."Before last" implicit rules 5. Last explicit rule (cleanup rule) 6. "Last" implicit rule 7. Network address translation If i look at the checkpoint courseware, it shows rule processing as follows: 1. Network address translation 2.Anti spoofing checks 3. "First" implicit rules 4.Explicit rules (except for the final rule) 5."Before last" implicit rules 6. Last explicit rule (cleanup rule) 7. "Last" implicit rule Can anyone advise what is the correct order of rule base processing and whether NAT is checked after explicit rules or before the explicit rules ? Thanks KJ  |
| 1 Week Ago | |||
| |||
| Re: Rule processing order Quote:
Consider: 1. Anti-spoofing makes decisions based upon source IP address. 2. Routing makes decisions based upon destination IP address. 3. The rulebase makes decisions based partially upon both source and destination IP address. 4. NAT can change both source and destination IP address. Therefore, there can be some complex interactions, and the order of the operations matters. |
| 1 Week Ago | |||
| |||
| Re: Rule processing order Barry, Many thanks for your reply. I tend to think that following processing order is correct : 1.Anti spoofing checks 2. "First" implicit rules 3.Explicit rules (except for the final rule) 4."Before last" implicit rules 5. Last explicit rule (cleanup rule) 6. "Last" implicit rule 7. Network address translation From a practical experience, The reason for this is as follows : I have a host 10.1.1.1 which needs to talk to a host 203.90.1.1 over internet. In the checkpoint rulebase, i have following: Source Destination service install on 10.1.1.1 203.90.1.1 http/https gateway In the NAT rulebase i have following : Original Packet Translated Packet Source Destination service source Destination install on 10.1.1.1 203.90.1.1 any 57.67.2.1 203.90.1.1 gateway This is working fine for me and hence based on this, it seems obvious that explicit and/or implicit rules are being processed before NAT rules. Let me know what you think ? If you are aware of any scenarios where NAT rules are processed before implicit/explicit rules, please do let me know. Thanks again for your time. Regards KJ |
| 1 Week Ago | |||
| |||
| Re: Rule processing order Quote:
1. Automatic and Manual NAT rules can behave differently. 2. Different versions of Firewall-1/VPN-1 over the years have different default ways of handling NAT (that whole thing about "translate destination on the client side"), so it matters if you've done a fresh installation or merely upgraded over the years. 3. There may or may not still be some configurations where NAT (Static, Manual?) may have some weirdness with Anti-Spoof checking. I'll bet that in the current CCSE+ student handbook or in the manuals (particularly about FW Monitor) you could nail down the definitive answer. I may research it and get it totally figured out for a presentation at our next conference. |
|
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
