topic Re: fw ctl chain in General Topics

fw ctl chain

pavan_kalal — Thu, 03 Aug 2023 14:17:59 GMT

Hi folks,

Can anyone please explain about the fw monitor ?

traffic get inspected at 4 inspection point with fw monitor as below

i: - pre-inbound

I: - post-inbound

o: - pre-outbound

O: - post-outbound.

now i want to understand what are the parameters get checked at each inspection point ?

also want to understand how to reach (fw ctl chain).

Thanks.

Re: fw ctl chain

the_rock — Thu, 03 Aug 2023 14:23:15 GMT

Lots of posts about this, but below are 2 best ones (in my opinion)

Andy

https://community.checkpoint.com/t5/Security-Gateways/fw-ctl-chain/m-p/125264

https://community.checkpoint.com/t5/General-Topics/Check-Point-Inspection-points-iIoO/td-p/34938

No one explains this better than @Timothy_Hall

Re: fw ctl chain

the_rock — Thu, 03 Aug 2023 14:49:44 GMT

By the way, if you simply search for fw ctl chain in below field, so many useful things come up.

Andy

Re: fw ctl chain

pavan_kalal — Thu, 03 Aug 2023 16:54:41 GMT

So as i gone though the @Timothy_Hall Post, its mentioned that when non-accelerated packet travel through firewall it get inspected/checked at four inspection point with fw monitor.

Lets take below example to understand it more clearly.

Client Server

so as per the above diagram client server architecture. we have firewall in between both, and iIoO mentioned.

lets take TCP three way handshake as example in this architecture

SYN : - eth1 : - pre-inbound "i"

eth1 : - post-Inbound "I"

eth2 : - pre-outbound "o"

eth2 : - post-Outbound "O"

SYN ACK : - eth2 : - pre-inbound "i"

eth 2 : - post-Inbound "I"

eth 1 : - Pre-outbound "o"

eth 1 : - post-Outbound "O"

ACK : - eth1 : - pre-inbound "i"

eth1 : - Post-inbound "I"

eth2 : - pre-outbound "o"

eth2 : - post-outbound "O"

Now here at individual inspection point different2 parameters get checked/inspected as below.

Between i & I (at client side)

Inbound anti-spoofing
Geo policy
HTTPS/VPN decryption
State table lookup (connection table)
Access control policy
Destination NAT
TP policy

Between I & o

IP Routing

Between o & O (at Server side)

Outbound Anti-spoofing
HTTPS/VPN Encryption
Source NAT

Kindly correct if if i am going wrong .

Thanks !

Re: fw ctl chain

the_rock — Thu, 03 Aug 2023 16:57:24 GMT

That looks right to me.

Andy

Re: fw ctl chain

the_rock — Thu, 03 Aug 2023 17:31:44 GMT

@pavan_kalal

Not to advertise Tim's book now, but I guarantee you, below is SOOOO WORTH the money. The amount of useful things you can find in the book cant be described with words. I strongly recommend it.

Andy

https://www.amazon.ca/Max-Power-2020-Optimization-Welch-Abernathy/dp/1652347704/ref=sr_1_1?crid=1U198C9NIZUEI&keywords=timothy+hall&qid=1691083758&sprefix=timothy+hall%2Caps%2C103&sr=8-1#customerReviews

Re: fw ctl chain

pavan_kalal — Tue, 08 Aug 2023 04:22:24 GMT

Hi @the_rock ,

can you please help me understanding the fw ctl output ?

I mean so far we discussed i understood about the inspection point’s of fw monitor and the different parameters get inspected at each point.

now i want to know how to read the output of fw ctl chain ? Below

[Expert@MyGW:0]# fw ctl chain

in chain (17):

        0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)

        1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)

        2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)

        3: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)

        4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)

        5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding

        6:         0 (ffffffff8b8506a0) (00000001) fw VM inbound  (fw)

        7:         2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)

        8:         4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module

        9:         5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)

        10:        10 (ffffffff8b842710) (00000001) fw post VM inbound  (post_vm)

        11:    100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)

        12:  22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)

        13:  70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP  side)

        14:  7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)

        15:  7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)

        16:  7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)

out chain (16):

        0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)

        1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)

        2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)

        3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)

        4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)

        5: -     1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)

        6:         0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)

        7:        10 (ffffffff8b842710) (00000001) fw post VM outbound  (post_vm)

        8:  15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)

        9:  21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)

        10:  70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)

        11:  7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)

        12:  7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)

        13:  7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)

        14:  7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)

        15:  7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)

Re: fw ctl chain

the_rock — Tue, 08 Aug 2023 12:31:02 GMT

Bookmark this link, it explains EVERYTHING 🙂

Andy

https://dkcheckpoint.blogspot.com/2016/07/chapter-2-chain-module.html