topic Re: UP kernel chain and policy enforcement in General Topics

UP kernel chain and policy enforcement

Wed, 23 Dec 2015 13:08:40 GMT

Hi all!

Could you please advise which chain module is enforcing security policy on the GW for unified policy case? Is it only up chain? What are the roles of fw vm chains in R80 GW?

Re: UP kernel chain and policy enforcement

Oded_Bergman — Sun, 17 Jan 2016 15:39:47 GMT

There is no new chain module for Unified Policy.

Unified Policy is enforced for first packet in the VM chain module (where security rule base was enforced before).

Since Unified Policy rulebase might not be finally matched on SYN packets, followed rulebase execution will be done on various parser contexts (blade dependent - e.g: HTTP_1ST_RESPONSE for Application Control blade).

Re: UP kernel chain and policy enforcement

_Val_ — Mon, 18 Jan 2016 08:36:10 GMT

Thanks, Oded Bergman, indeed there is no chain module named UP. My original question was badly worded.

Please allow me to rephrase. There is a new kernel debug module UP. If my understanding is correct, it can print out kernel decisions related to enforcement of Unified Policies. Could you please advise if it is related to fw VM or also other chain modules?

Re: UP kernel chain and policy enforcement

Tomer_Sole — Fri, 08 Apr 2016 14:13:21 GMT

Apparently this question was not answered, so I'm unmarking it from being correct.

Re: UP kernel chain and policy enforcement

_Val_ — Fri, 08 Apr 2016 16:06:19 GMT

Yes, the question is not answered. Thanks, Tomer.

Re: UP kernel chain and policy enforcement

Tal_Ben_Avraham — Mon, 11 Apr 2016 15:18:08 GMT

Correct,

UP is a new module including its own kernel debug flags.

UP debug in kernel include Unified Rulebase executions and enforcement.

Regarding chain modules, the only chain module UP is being executed from is the VM chain module.

Re: UP kernel chain and policy enforcement

_Val_ — Mon, 11 Apr 2016 18:20:25 GMT

Thanks a lot. One last question. Does it compliment the regular stateful inspection / rule base enforcement or replace it completely? I can see rule base match effort in the debug output, and it is quite different from the usual one for fm VM. Just trying to make sense out of it

Re: UP kernel chain and policy enforcement

Tal_Ben_Avraham — Thu, 14 Apr 2016 16:59:25 GMT

UP (Unified Policy) module replaces the inspect rulebase (with the same and extra capabilities).

Re: UP kernel chain and policy enforcement

_Val_ — Fri, 15 Apr 2016 11:06:41 GMT

Thanks Tal, that is VERY interesting. Why then I can still see module fw in the fw ctl debug output? Up should replace it, according to your answer.

Why is it still there?

Re: UP kernel chain and policy enforcement

Tal_Ben_Avraham — Wed, 20 Apr 2016 17:13:04 GMT

fw module debug flags include a lot of debugging none-related to the rulebase execution and enforcement (NAT debugs for example).

Re: UP kernel chain and policy enforcement

Alex_Sazonov — Wed, 28 Jun 2017 05:11:28 GMT

Tal Ben Avraham‌,

I remember you were saying that new connection module UnifiedPolicy was added which is executed from the fw VM.

[Expert@luka-eye]# fw ctl conn -a

Installed connections modules:
No. Name Used Newconn Packet End Reload Dup Type Dup Handler
Connectivity level 0:
0: Accounting yes 0: Accounting 00000000 00000000 f549e5d0 00000000 Special f549f500
1: Authentication yes 1: Authentication f568b4b0 00000000 00000000 00000000 Special f568ba00
2: AutoTopology no 2: AutoTopology 00000000 00000000 00000000 00000000 None
3: CPAS yes 3: CPAS 00000000 00000000 f5911af0 00000000 None
4: FG-1 no 4: FG-1 00000000 00000000 00000000 00000000 None
5: FWconn_stats no 5: FWconn_stats 00000000 00000000 00000000 00000000 None
6: ISP-Redundancy no 6: ISP-Redundancy 00000000 00000000 00000000 00000000 None
7: IcmpTunnel no 7: IcmpTunnel 00000000 00000000 00000000 00000000 None
8: NAC yes 8: NAC f5af4720 00000000 00000000 00000000 Save
9: NAT yes 9: NAT 00000000 00000000 f5638360 00000000 Special f5638a90
10: PSL yes 10: PSL 00000000 00000000 f5702ef0 f56fe690 None
11: RTM no 11: RTM 00000000 00000000 00000000 00000000 None
12: RTM2 no 12: RTM2 00000000 00000000 00000000 00000000 None
13: SPII yes 13: SPII f56aea40 00000000 f56b2ed0 f56b33c0 None
14: SeqVerifier yes 14: SeqVerifier f54edea0 00000000 00000000 f54e8de0 Special f54edf50
15: SynDoSDefender no 15: SynDoSDefender 00000000 00000000 00000000 00000000 None
16: UnifiedPolicy yes 16: UnifiedPolicy f5efda00 00000000 f5efd620 00000000 Special f5efcfd0
17: VPN yes 17: VPN f5c94040 00000000 f5c7d330 00000000 Special f5c72ae0

Hope it will help to understand the flow.

Re: UP kernel chain and policy enforcement

Tal_Ben_Avraham — Wed, 28 Jun 2017 07:33:16 GMT

Security policy is enforced by the VM chain module (as in pervious versions_.

In cases where rulebase requires data inspection (e.g: Applicative rulebsae) there will be first execution of the rulebase in the VM chain module followed by additional rulebase executions triggered by parsers upon connection data (i.e: TCP/UDP payload) being inspected.

Re: UP kernel chain and policy enforcement

_Val_ — Thu, 29 Jun 2017 07:09:38 GMT

Tal, what is a connection module? Any documentation reference?

Re: UP kernel chain and policy enforcement

Tal_Ben_Avraham — Thu, 29 Jun 2017 11:35:29 GMT

Above statement is not accurate.

UnifiedPolicy (UP) is indeed a connection module. Generally means it saves information on the connection table.

It has nothing to do with the position (chain module) the rulebase is being executed.