https://community.checkpoint.com/t5/General-Topics/Unified-policy-how-is-that-connection-really-handled/m-p/22447#M4318 <HTML><HEAD></HEAD><BODY><P>OK, so in R80 we have this deal where we have a rule match by committee where the CMI, protocol parsers and pattern matchers are all looking at the rulebase column-by-column to build their array of "candidate rules"&nbsp; </P><P></P><P>BUT - they need to let some of that traffic run in some cases to get enough info about it before making a decision.&nbsp; So, what I start to wonder is how much, if any, of this "sample traffic" is let through before the connection is shut down?&nbsp; Does the gateway keep it in some kind of queue pending the final policy decision or does some of that traffic actually transit the gateway prior to that decision being made?&nbsp;</P></BODY></HTML> Thu, 11 Jan 2018 07:35:45 GMT Michael_Lawrenc 2018-01-11T07:35:45Z https://community.checkpoint.com/t5/General-Topics/Unified-policy-how-is-that-connection-really-handled/m-p/22447#M4318 <HTML><HEAD></HEAD><BODY><P>OK, so in R80 we have this deal where we have a rule match by committee where the CMI, protocol parsers and pattern matchers are all looking at the rulebase column-by-column to build their array of "candidate rules"&nbsp; </P><P></P><P>BUT - they need to let some of that traffic run in some cases to get enough info about it before making a decision.&nbsp; So, what I start to wonder is how much, if any, of this "sample traffic" is let through before the connection is shut down?&nbsp; Does the gateway keep it in some kind of queue pending the final policy decision or does some of that traffic actually transit the gateway prior to that decision being made?&nbsp;</P></BODY></HTML> Thu, 11 Jan 2018 07:35:45 GMT https://community.checkpoint.com/t5/General-Topics/Unified-policy-how-is-that-connection-really-handled/m-p/22447#M4318 Michael_Lawrenc 2018-01-11T07:35:45Z https://community.checkpoint.com/t5/General-Topics/Unified-policy-how-is-that-connection-really-handled/m-p/22448#M4319 <HTML><HEAD></HEAD><BODY><P>Generally speaking, we have to let the traffic through until a determination has been made.</P><P>The amount depends on what applications you've configured in your policy.</P><P>See also:&nbsp;<A class="link-titled" href="http://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/" title="http://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/">http://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/</A>&nbsp;</P></BODY></HTML> Sat, 13 Jan 2018 02:19:44 GMT https://community.checkpoint.com/t5/General-Topics/Unified-policy-how-is-that-connection-really-handled/m-p/22448#M4319 PhoneBoy 2018-01-13T02:19:44Z https://community.checkpoint.com/t5/General-Topics/Unified-policy-how-is-that-connection-really-handled/m-p/22449#M4320 <HTML><HEAD></HEAD><BODY><P>Yeah, and I am now up to speed on the little warning that comes with protocol inspection.&nbsp; You know, it seems to me that sandboxing connections before releasing them would be in order.&nbsp; Those few packets coming through prior to making the call on whether or not to drop makes me a little nervous. Of course, it's better than no layer 7 inspection at all, but these days I imagine crackists focusing on using those few initial packets to do... something bad.&nbsp; In the old CVP days, we'd vector the whole file, scrub it and then release it.&nbsp; Wondering why we can't do that with the first few packets vectored into a vm to make sure it's all good before opening the gate.&nbsp; <BR /><BR />BTW, nice to see your new site.&nbsp; (New to me - it's been a loooong time since I've looked at phoneboy.)&nbsp; </P></BODY></HTML> Tue, 30 Jan 2018 00:19:46 GMT https://community.checkpoint.com/t5/General-Topics/Unified-policy-how-is-that-connection-really-handled/m-p/22449#M4320 Michael_Lawrenc 2018-01-30T00:19:46Z https://community.checkpoint.com/t5/General-Topics/Unified-policy-how-is-that-connection-really-handled/m-p/22450#M4321 <HTML><HEAD></HEAD><BODY><P>This is why you should not allow all traffic on all ports to all destinations...to minimize the risk somewhat <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>To be fair, phoneboy.com has been around for quite some time, though it's purpose has evolved&nbsp;quite a bit over the 20+ years I've had&nbsp;</P><P>When I started writing more about cyber security again, I decided to fork that content to a different site focused on that topic (phoneboy.org)</P><P>Now, I'm focusing my energy here <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Tue, 30 Jan 2018 14:46:38 GMT https://community.checkpoint.com/t5/General-Topics/Unified-policy-how-is-that-connection-really-handled/m-p/22450#M4321 PhoneBoy 2018-01-30T14:46:38Z