cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Check Point Inspection points-iIoO

Jump to solution

Hi Experts,

Thank you all for helping us. Could you guys please assist on iIoO - Checkpoint Inspection points. Even Checkpoint doesn't provide much info (Shown below). Like where Anti-spoofing/Access-rule/NAT/Routing is applied @ each stage of iIoO. Please assist.

1 Solution

Accepted Solutions

Re: Check Point Inspection points-iIoO

Jump to solution

Think of iIoO as different stages of processing on the firewall, but bear in mind that these four inspection/capture points are only relevant to traffic that is not accelerated at all and is going through the Firewall Path (F2F); this is what the command fw ctl chain is showing.  Unaccelerated packets that are permitted through the firewall will cross all four capture points.  Traffic that is partially or fully accelerated (via the PXL or SXL paths, respectively) takes a "shorter" path across the firewall as shown in the diagram below excerpted from my book:

Not every Firewall Path operation below has its own dedicated chain module, and many of these operations occur inside the same chain module.  The vast majority of firewall security operations (and possible drops) happen on the inbound/client side of the firewall kernel between "i" and "I" such as:

  • Inbound Anti-spoofing
  • Geo Policy
  • HTTPS/VPN decryption
  • Connections state table lookups
  • Access Control policy layer evaluation
  • Destination IP NAT
  • Threat Prevention policy layer evaluation

Between "I" and "o" the Gaia IP driver performs routing.

Between "o" and "O" on the outbound/server side of the firewall kernel, the following types of operations occur:

  • Outbound Anti-spoofing
  • HTTPS/VPN encryption
  • Source IP NAT

Obviously things get a lot more complicated if the traffic is accelerated; you can get a basic sense of how much traffic is accelerated on your firewall by running fwaccel stats -s.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
7 Replies
Admin
Admin

Re: Checkpoint Inspection points-iIoO

Jump to solution

You can see the exact order of operations on your gateway by typing fw ctl chain on your gateway. 

The exact options that will show will depend on what features are enabled. 

in chain refers to what happens between "little i" and "big I".

out chain refers to what happens between "little o" and "big O".

fw is the access policy.

Anti-spoofing I believe is done as part of stateless verifications.

What happens after "big I" but before "little o"

  • Destination NAT (If "Translate destination on client side" Global Property is set)
  • Routing 

[Expert@R8010:0]# fw ctl chain

in chain (17):

0: -7ffffff0 (ffffffff8903d8d0) (00000001) tcpt inbound (tcp_tun)

1: -7f800000 (ffffffff88877f40) (ffffffff) IP Options Strip (in) (ipopt_strip)

2: - 2000000 (ffffffff89018bb0) (00000003) vpn decrypt (vpn)

3: - 1fffffa (ffffffff89036620) (00000001) l2tp inbound (l2tp)

4: - 1fffff8 (ffffffff88879790) (00000001) Stateless verifications (in) (asm)

5: - 1fffff2 (ffffffff890586c0) (00000003) vpn tagging inbound (tagging)

6: - 1fffff0 (ffffffff89017630) (00000003) vpn decrypt verify (vpn_ver)

7: - 1000000 (ffffffff8895c0b0) (00000003) SecureXL conn sync (secxl_sync)

8:         0 (ffffffff88814ac0) (00000001) fw VM inbound  (fw)

9:        10 (ffffffff8882a790) (00000001) fw accounting inbound (acct)

10:   2000000 (ffffffff89016bd0) (00000003) vpn policy inbound (vpn_pol)

11:  10000000 (ffffffff88959f40) (00000003) SecureXL inbound (secxl)

12:  21500000 (ffffffff8ad9b960) (00000001) RTM packet in (rtm)

13:  7f600000 (ffffffff8886cf30) (00000001) fw SCV inbound (scv)

14:  7f730000 (ffffffff88a8e6f0) (00000001) passive streaming (in) (pass_str)

15:  7f750000 (ffffffff88cacfb0) (00000001) TCP streaming (in) (cpas)

16:  7f800000 (ffffffff88878300) (ffffffff) IP Options Restore (in) (ipopt_res)

out chain (17):

0: -7f800000 (ffffffff88877f40) (ffffffff) IP Options Strip (out) (ipopt_strip)

1: - 1ffffff (ffffffff89015110) (00000003) vpn nat outbound (vpn_nat)

2: - 1fffff0 (ffffffff88cad1f0) (00000001) TCP streaming (out) (cpas)

3: - 1ffff50 (ffffffff88a8e6f0) (00000001) passive streaming (out) (pass_str)

4: - 1ff0000 (ffffffff890586c0) (00000003) vpn tagging outbound (tagging)

5: - 1f00000 (ffffffff88879790) (00000001) Stateless verifications (out) (asm)

6: -     1ff (ffffffff88e78d50) (00000001) NAC Packet Outbound (nac_tag)

7:         0 (ffffffff88814ac0) (00000001) fw VM outbound (fw)

8:   2000000 (ffffffff890154e0) (00000003) vpn policy outbound (vpn_pol)

9:  10000000 (ffffffff88959f40) (00000003) SecureXL outbound (secxl)

10:  1ffffff0 (ffffffff89037350) (00000001) l2tp outbound (l2tp)

11:  20000000 (ffffffff89015d80) (00000003) vpn encrypt (vpn)

12:  24000000 (ffffffff8ad9b960) (00000001) RTM packet out (rtm)

13:  60000000 (ffffffff8903e0c0) (00000001) tcpt outbound (tcp_tun)

14:  7f000000 (ffffffff8882a790) (00000001) fw accounting outbound (acct)

15:  7f700000 (ffffffff88cad3e0) (00000001) TCP streaming post VM (cpas)

16:  7f800000 (ffffffff88878300) (ffffffff) IP Options Restore (out) (ipopt_res)

Re: Check Point Inspection points-iIoO

Jump to solution

Chain points from your question for the first packet:

i   <NAT on client side> I o O

i   <Access-rule> I o O

i   <Anti-spoofing> I o O

i I <Routing> o O

i I o <NAT on server side> O

Use sk98799:

The kernel is the bridge between the hardware and the OS. In the Check Point kernel, packets are inspected both in Inbound (ingress) and Outbound (egress) directions. Each direction has its own modules and order of inspection.

Handlers (INSPECT code) decide which modules will inspect the packet. The inspection operations in the Check Point kernel are divided into modules, and the modules are divided into chains. The number of chains on every Security Gateway is different. It depends on which blades/features are enabled on the Security Gateway.

To debug kernel packets:

fw ctl chain

# fwaccel off

# fw monitor -p all -e "accept( >>>Filter <<<);"

Regards

Heiko

Re: Check Point Inspection points-iIoO

Jump to solution

Hi Heiko,

Could you post fw monitor filters so I can capture & see all inspection points.

My goal is to capture traffic across the firewall with fw monitor and find all inspection points.

 

 

Thanks

SM
0 Kudos

Re: Check Point Inspection points-iIoO

Jump to solution

You can see all the new inspection points in R80.20+ here:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-20-New-FW-Monitor-inspection-...

If you use the option -p all with fw monitor it will capture a matched packet every time it transits from one chain module to another; on a typical firewall a single accepted packet will be displayed at least 20 times, so make sure you apply a very tight and specific filter to traffic that you are trying to capture in this fashion.

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Check Point Inspection points-iIoO

Jump to solution

Think of iIoO as different stages of processing on the firewall, but bear in mind that these four inspection/capture points are only relevant to traffic that is not accelerated at all and is going through the Firewall Path (F2F); this is what the command fw ctl chain is showing.  Unaccelerated packets that are permitted through the firewall will cross all four capture points.  Traffic that is partially or fully accelerated (via the PXL or SXL paths, respectively) takes a "shorter" path across the firewall as shown in the diagram below excerpted from my book:

Not every Firewall Path operation below has its own dedicated chain module, and many of these operations occur inside the same chain module.  The vast majority of firewall security operations (and possible drops) happen on the inbound/client side of the firewall kernel between "i" and "I" such as:

  • Inbound Anti-spoofing
  • Geo Policy
  • HTTPS/VPN decryption
  • Connections state table lookups
  • Access Control policy layer evaluation
  • Destination IP NAT
  • Threat Prevention policy layer evaluation

Between "I" and "o" the Gaia IP driver performs routing.

Between "o" and "O" on the outbound/server side of the firewall kernel, the following types of operations occur:

  • Outbound Anti-spoofing
  • HTTPS/VPN encryption
  • Source IP NAT

Obviously things get a lot more complicated if the traffic is accelerated; you can get a basic sense of how much traffic is accelerated on your firewall by running fwaccel stats -s.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
RickHoppe
Silver

Re: Check Point Inspection points-iIoO

Jump to solution

In addition to iIoO we also have “e” and “E” with R80.10, which is discussed here: https://community.checkpoint.com/thread/6176-fw-monitor-inspection-point-e-or-e

Blog: https://checkpoint.engineer
0 Kudos

Re: Check Point Inspection points-iIoO

Jump to solution

Yes. “e” and “E” comes in picture only when we monitor traffic flow of IPSEC VPN.

0 Kudos