CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 14 of 14

Thread: Packet Flow in Checkpoint Firewall

  1. #1
    Join Date
    2011-05-16
    Posts
    1
    Rep Power
    0

    Default Packet Flow in Checkpoint Firewall

    Dear All,

    I need Experts advice to know the proper Packet flow in Checkpoint Firewall.

    There is a controversy in Books and Experience shared by Experts regarding Packet flow.

    Need your urgent comments and shared your views by examples also.

    Thanks in Advance.

  2. #2
    Join Date
    2013-01-12
    Location
    Slovakia
    Posts
    3
    Rep Power
    0

    Default Re: Packet Flow in Checkpoint Firewall

    packet IN -> antispoofing -> rule Base (connection table) -> Nat for destination -> routing -> NAT for source -> ( NATted) Packet out

  3. #3
    Join Date
    2012-02-06
    Posts
    29
    Rep Power
    0

    Default Re: Packet Flow in Checkpoint Firewall

    In addition you can use fw monitor -e "host(put_your_IP_here),accept;"

  4. #4
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    3

    Default Re: Packet Flow in Checkpoint Firewall

    Quote Originally Posted by taganrog View Post
    In addition you can use fw monitor -e "host(put_your_IP_here),accept;"
    Running this basic fw monitor will show you the 4 primary points, iIoO (pre-inbound, post-Inbound, pre-outbound, post-Outbound).

    For the full firewall chain (which can differ based on what blades are active), you can run the following fw monitor:

    fw monitor -p all -e "accept host (<HOSTIP>);"

    EDIT:
    Alternatively, to view the entire chain WITHOUT running an fw monitor, use the following command:
    fw ctl chain
    Last edited by jdmoore0883; 2015-03-11 at 12:12. Reason: additional command

  5. #5
    Join Date
    2012-02-06
    Posts
    29
    Rep Power
    0

    Default Re: Packet Flow in Checkpoint Firewall

    Indeed, i wasn't mention about -p flag because it depends on TS needs. -p flag will show all steps during passing GW

  6. #6
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    605
    Rep Power
    4

    Default Re: Packet Flow in Checkpoint Firewall

    Quote Originally Posted by jdmoore0883 View Post
    Running this basic fw monitor will show you the 4 primary points, iIoO (pre-inbound, post-Inbound, pre-outbound, post-Outbound).

    For the full firewall chain (which can differ based on what blades are active), you can run the following fw monitor:

    fw monitor -p all -e "accept host (<HOSTIP>);"

    EDIT:
    Alternatively, to view the entire chain WITHOUT running an fw monitor, use the following command:
    fw ctl chain
    What about UDP traffic, is that shown also on fw monitor -p ? I noticed that fw monitor without -p argument, shows NAT for ICMP protocol but "forgets to show" for UDP. Any hints?

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,033
    Rep Power
    12

    Default Re: Packet Flow in Checkpoint Firewall

    Quote Originally Posted by laf_c View Post
    What about UDP traffic, is that shown also on fw monitor -p ? I noticed that fw monitor without -p argument, shows NAT for ICMP protocol but "forgets to show" for UDP. Any hints?
    fw monitor will only show UDP traffic being processed in the Firewall Path, I suspect your UDP traffic is being handled exclusively in the Accelerated Path by the SecureXL driver or in the Medium Path. If you disable SecureXL (fwaccel off) do the UDP packets show up in fw monitor now? Keep in mind that disabling SecureXL on a production machine can cripple its performance if it is very busy.
    Last edited by ShadowPeak.com; 2015-03-17 at 21:46.

  8. #8
    Join Date
    2015-04-20
    Posts
    15
    Rep Power
    0

    Default Re: Packet Flow in Checkpoint Firewall

    Is there any answer which is simple to understand? maybe with a diagram?

  9. #9
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,033
    Rep Power
    12

    Default Re: Packet Flow in Checkpoint Firewall

    Quote Originally Posted by vin28761 View Post
    Is there any answer which is simple to understand? maybe with a diagram?
    How about this one from my book?

    Click image for larger version. 

Name:	CheckPoint_Processing_Paths.jpg 
Views:	9740 
Size:	170.2 KB 
ID:	942
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  10. #10
    Join Date
    2015-04-20
    Posts
    15
    Rep Power
    0

    Default Re: Packet Flow in Checkpoint Firewall

    Quote Originally Posted by ShadowPeak.com View Post
    How about this one from my book?

    Click image for larger version. 

Name:	CheckPoint_Processing_Paths.jpg 
Views:	9740 
Size:	170.2 KB 
ID:	942
    Diagram looks nice. Being a novice, i am unable to relate much to it unless it is backed up by some explanation.

  11. #11
    Join Date
    2015-04-20
    Posts
    15
    Rep Power
    0

    Default Re: Packet Flow in Checkpoint Firewall

    Quote Originally Posted by vin28761 View Post
    Diagram looks nice. Being a novice, i am unable to relate much to it unless it is backed up by some explanation.
    Can you please share some document which explains things mentioned in your diagram?

  12. #12
    Join Date
    2006-07-28
    Location
    New Zealand
    Posts
    2,466
    Rep Power
    14

    Default Re: Packet Flow in Checkpoint Firewall

    Quote Originally Posted by vin28761 View Post
    Can you please share some document which explains things mentioned in your diagram?
    Maybe you should buy his book?

  13. #13
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,033
    Rep Power
    12

    Default Re: Packet Flow in Checkpoint Firewall

    Quote Originally Posted by northlandboy View Post
    Maybe you should buy his book?
    The book does get into packet flow internals to some degree, but strictly from a performance tuning perspective. To quickly summarize there are three firewall processing paths in order of increasing CPU processing overhead: Accelerated (SecureXL), Medium (PXL), and Firewall (F2F). The command "fwaccel stats -s" can give you an idea of how much traffic is being handled in each path. In general it is desirable to have traffic handled in the fastest inspection path possible; this can be dramatically affected by tuning adjustments detailed in the book. However depending on what firewall features are enabled some traffic simply cannot be promoted into a faster path via tuning adjustments. In that case a secondary tuning goal is to reduce the amount of CPU processing overhead in a particular path as much as possible. One other key point of the diagram is that the Accelerated Path is handled on CPU cores designated for SND/IRQ/dispatcher operations, while the Medium and Firewall Paths are handled on the Firewall Worker cores.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  14. #14
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,033
    Rep Power
    12

    Default Re: Packet Flow in Checkpoint Firewall

    Check Point has created some great documents explaining packet flows for R77 gateway here:

    sk116255: Check Point Security Gateway Architecture and Packet Flow
    Doesn't appear to be an equivalent document for R80.10 gateway just yet...
    Last edited by ShadowPeak.com; 2 Weeks Ago at 18:02.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

Similar Threads

  1. Kernel Traffic Flow
    By tts00 in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2012-04-30, 09:26
  2. Packet Flow Through the INSPECT Engine
    By B A Booracus in forum Content Security/Security Servers/CVP/UFP
    Replies: 7
    Last Post: 2011-07-13, 04:45
  3. Firewall R61 drop packet over MTU 1500
    By antonyso88 in forum Versions Of Firewall-1/VPN-1
    Replies: 1
    Last Post: 2007-02-28, 02:37
  4. Packet capture in Firewall Logs?
    By jchrisos in forum SmartView Tracker
    Replies: 5
    Last Post: 2006-09-26, 16:47
  5. How can I run a Packet Sniffer on the Firewall?
    By roadrunner in forum Miscellaneous
    Replies: 0
    Last Post: 2005-08-14, 11:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •