CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: Check Point firewall flow

  1. #1
    Join Date
    2017-05-30
    Posts
    4
    Rep Power
    0

    Default Check Point firewall flow

    Hello guys,

    I wonder if there any good guide how the firewall traffic flows in the Check Point firewall.
    Like in a Juniper SRX you can easily follow the flow with this flow chart:
    https://www.tunnelsup.com/images/jun...acket-flow.png

    Does this exists in Check Point?


    Thanks in advance

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: Check Point firewall flow

    Quote Originally Posted by erntan View Post
    Hello guys,

    I wonder if there any good guide how the firewall traffic flows in the Check Point firewall.
    Like in a Juniper SRX you can easily follow the flow with this flow chart:
    https://www.tunnelsup.com/images/jun...acket-flow.png

    Does this exists in Check Point?


    Thanks in advance
    I couldn't find an image at this moment but immediately looked over CP_R77_Firewall_AdminGuide (pdf file); page 94 give some intro about packet flow using SecureXL.

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: Check Point firewall flow

    Please see my post here and the followups:

    https://www.cpug.org/forums/showthre...3741#post93741
    --
    Third Edition of my "Max Power 2020" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Check Point firewall flow

    See also the following sk: sk116255.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: Check Point firewall flow

    Quote Originally Posted by PhoneBoy View Post
    See also the following sk: sk116255.
    Hadn't seen that new SK, thanks for the tip! Very informative.
    --
    Third Edition of my "Max Power 2020" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  6. #6
    Join Date
    2007-10-31
    Location
    Great Plains - USA
    Posts
    159
    Rep Power
    13

    Default Re: Check Point firewall flow

    Quote Originally Posted by PhoneBoy View Post
    See also the following sk: sk116255.
    SK116255 is very nice, thank you for pointing it out.

    To take a trip down memory lane, FW Monitor documentation was also informative in detailing flows. Pages 14 and 19 from here was useful for me many times:
    http://dl3.checkpoint.com/paid/a4/Ho...b354e&xtn=.pdf

  7. #7
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Check Point firewall flow

    Quote Originally Posted by ShadowPeak.com View Post
    Hadn't seen that new SK, thanks for the tip! Very informative.
    I believe we plan to update this document for R80.10 also (or have a new SK for it).
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  8. #8
    Join Date
    2017-05-30
    Posts
    4
    Rep Power
    0

    Default Re: Check Point firewall flow

    Hey again guys,

    Thanks.

    More questions regarding the flow.
    What about NAT?

    Does Static NAT occurs before Source and Destination NAT?
    If manual NAT vs Automatic NAT, which has higer priority?


    Please help me and understand the NAT proccedure.

    Thanks again.

  9. #9
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    14

    Default Re: Check Point firewall flow

    Quote Originally Posted by erntan View Post
    Hey again guys,

    Thanks.

    More questions regarding the flow.
    What about NAT?

    Does Static NAT occurs before Source and Destination NAT?
    If manual NAT vs Automatic NAT, which has higer priority?


    Please help me and understand the NAT proccedure.

    Thanks again.
    By default if the destination IP address is being NATted it is performed on the client/inbound side of the firewall kernel (i->I) prior to routing by IP.

    If the source IP address is being NATted it is performed on the server/outbound side of the firewall kernel (o->O) after routing by IP.

    Whether the NAT is automatically generated, manually created, inbound, outbound, Static NAT or Hide NAT is irrelevant to the two statements above.

    For automatically-generated NAT rules (selecting the NAT tab of a host/network object and configuring NAT that way) automatic Static NAT rules will always be checked first, followed by the automatic Hide NAT rules. This ordering of automatic NAT rules cannot be changed. In addition, by default more than one automatic rule can potentially be matched if there is a matching automatic rule for both source and destination ("bi-directional NAT").

    Prior to the automatically-generated NAT rules ("pre-automatic"), one can add manual Hide or Static NAT rules that will be checked for a match before any automatically-generated rules. Just like the cult movie Highlander, "there can be only one" when it comes to manual NAT rule matching.

    After all the automatically-generated NAT rules ("post-automatic"), one can once again add manual Hide or Static NAT rules that will be checked for a match after any automatically-generated rules. This is an uncommon place to add manual NAT rules but I have seen some use cases for it.

    Oh and you cannot use Security Zone objects in manual NAT rules as of R80.10. Disappointing.
    --
    Third Edition of my "Max Power 2020" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

Similar Threads

  1. Packet Flow in Checkpoint Firewall
    By gaurav.chopra in forum Check Point Firewall Administrator's Toolkit
    Replies: 13
    Last Post: 2017-09-02, 13:34
  2. NAC Hits The (Check Point) Firewall
    By RayPesek in forum Versions Of Firewall-1/VPN-1
    Replies: 2
    Last Post: 2007-03-12, 16:38
  3. Check Point Firewall Audit
    By misedewcated in forum Miscellaneous
    Replies: 1
    Last Post: 2006-05-24, 19:00
  4. Essential Check Point FireWall-1 NG
    By Barry J. Stiefel in forum Miscellaneous
    Replies: 0
    Last Post: 2005-08-13, 02:01
  5. Essential Check Point FireWall-1
    By Barry J. Stiefel in forum Miscellaneous
    Replies: 0
    Last Post: 2005-08-13, 02:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •