Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
vas
Contributor
Jump to solution

Check Point Inspection points-iIoO

Hi Experts,

Thank you all for helping us. Could you guys please assist on iIoO - Checkpoint Inspection points. Even Checkpoint doesn't provide much info (Shown below). Like where Anti-spoofing/Access-rule/NAT/Routing is applied @ each stage of iIoO. Please assist.

1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Think of iIoO as different stages of processing on the firewall, but bear in mind that these four inspection/capture points are only relevant to traffic that is not accelerated at all and is going through the Firewall Path (F2F); this is what the command fw ctl chain is showing.  Unaccelerated packets that are permitted through the firewall will cross all four capture points.  Traffic that is partially or fully accelerated (via the PXL or SXL paths, respectively) takes a "shorter" path across the firewall as shown in the diagram below excerpted from my book:

Not every Firewall Path operation below has its own dedicated chain module, and many of these operations occur inside the same chain module.  The vast majority of firewall security operations (and possible drops) happen on the inbound/client side of the firewall kernel between "i" and "I" such as:

  • Inbound Anti-spoofing
  • Geo Policy
  • HTTPS/VPN decryption
  • Connections state table lookups
  • Access Control policy layer evaluation
  • Destination IP NAT
  • Threat Prevention policy layer evaluation

Between "I" and "o" the Gaia IP driver performs routing.

Between "o" and "O" on the outbound/server side of the firewall kernel, the following types of operations occur:

  • Outbound Anti-spoofing
  • HTTPS/VPN encryption
  • Source IP NAT

Obviously things get a lot more complicated if the traffic is accelerated; you can get a basic sense of how much traffic is accelerated on your firewall by running fwaccel stats -s.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(3)
7 Replies
PhoneBoy
Admin
Admin

You can see the exact order of operations on your gateway by typing fw ctl chain on your gateway. 

The exact options that will show will depend on what features are enabled. 

in chain refers to what happens between "little i" and "big I".

out chain refers to what happens between "little o" and "big O".

fw is the access policy.

Anti-spoofing I believe is done as part of stateless verifications.

What happens after "big I" but before "little o"

  • Destination NAT (If "Translate destination on client side" Global Property is set)
  • Routing 

[Expert@R8010:0]# fw ctl chain

in chain (17):

0: -7ffffff0 (ffffffff8903d8d0) (00000001) tcpt inbound (tcp_tun)

1: -7f800000 (ffffffff88877f40) (ffffffff) IP Options Strip (in) (ipopt_strip)

2: - 2000000 (ffffffff89018bb0) (00000003) vpn decrypt (vpn)

3: - 1fffffa (ffffffff89036620) (00000001) l2tp inbound (l2tp)

4: - 1fffff8 (ffffffff88879790) (00000001) Stateless verifications (in) (asm)

5: - 1fffff2 (ffffffff890586c0) (00000003) vpn tagging inbound (tagging)

6: - 1fffff0 (ffffffff89017630) (00000003) vpn decrypt verify (vpn_ver)

7: - 1000000 (ffffffff8895c0b0) (00000003) SecureXL conn sync (secxl_sync)

8:         0 (ffffffff88814ac0) (00000001) fw VM inbound  (fw)

9:        10 (ffffffff8882a790) (00000001) fw accounting inbound (acct)

10:   2000000 (ffffffff89016bd0) (00000003) vpn policy inbound (vpn_pol)

11:  10000000 (ffffffff88959f40) (00000003) SecureXL inbound (secxl)

12:  21500000 (ffffffff8ad9b960) (00000001) RTM packet in (rtm)

13:  7f600000 (ffffffff8886cf30) (00000001) fw SCV inbound (scv)

14:  7f730000 (ffffffff88a8e6f0) (00000001) passive streaming (in) (pass_str)

15:  7f750000 (ffffffff88cacfb0) (00000001) TCP streaming (in) (cpas)

16:  7f800000 (ffffffff88878300) (ffffffff) IP Options Restore (in) (ipopt_res)

out chain (17):

0: -7f800000 (ffffffff88877f40) (ffffffff) IP Options Strip (out) (ipopt_strip)

1: - 1ffffff (ffffffff89015110) (00000003) vpn nat outbound (vpn_nat)

2: - 1fffff0 (ffffffff88cad1f0) (00000001) TCP streaming (out) (cpas)

3: - 1ffff50 (ffffffff88a8e6f0) (00000001) passive streaming (out) (pass_str)

4: - 1ff0000 (ffffffff890586c0) (00000003) vpn tagging outbound (tagging)

5: - 1f00000 (ffffffff88879790) (00000001) Stateless verifications (out) (asm)

6: -     1ff (ffffffff88e78d50) (00000001) NAC Packet Outbound (nac_tag)

7:         0 (ffffffff88814ac0) (00000001) fw VM outbound (fw)

8:   2000000 (ffffffff890154e0) (00000003) vpn policy outbound (vpn_pol)

9:  10000000 (ffffffff88959f40) (00000003) SecureXL outbound (secxl)

10:  1ffffff0 (ffffffff89037350) (00000001) l2tp outbound (l2tp)

11:  20000000 (ffffffff89015d80) (00000003) vpn encrypt (vpn)

12:  24000000 (ffffffff8ad9b960) (00000001) RTM packet out (rtm)

13:  60000000 (ffffffff8903e0c0) (00000001) tcpt outbound (tcp_tun)

14:  7f000000 (ffffffff8882a790) (00000001) fw accounting outbound (acct)

15:  7f700000 (ffffffff88cad3e0) (00000001) TCP streaming post VM (cpas)

16:  7f800000 (ffffffff88878300) (ffffffff) IP Options Restore (out) (ipopt_res)

HeikoAnkenbrand
Champion Champion
Champion

Chain points from your question for the first packet:

i   <NAT on client side> I o O

i   <Access-rule> I o O

i   <Anti-spoofing> I o O

i I <Routing> o O

i I o <NAT on server side> O

Use sk98799:

The kernel is the bridge between the hardware and the OS. In the Check Point kernel, packets are inspected both in Inbound (ingress) and Outbound (egress) directions. Each direction has its own modules and order of inspection.

Handlers (INSPECT code) decide which modules will inspect the packet. The inspection operations in the Check Point kernel are divided into modules, and the modules are divided into chains. The number of chains on every Security Gateway is different. It depends on which blades/features are enabled on the Security Gateway.

To debug kernel packets:

fw ctl chain

# fwaccel off

# fw monitor -p all -e "accept( >>>Filter <<<);"

Regards

Heiko

➜ CCSM Elite, CCME, CCTE
s_milidrag
Participant
Participant

Hi Heiko,

Could you post fw monitor filters so I can capture & see all inspection points.

My goal is to capture traffic across the firewall with fw monitor and find all inspection points.

 

 

Thanks

SM
0 Kudos
Timothy_Hall
Champion
Champion

You can see all the new inspection points in R80.20+ here:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-20-New-FW-Monitor-inspection-...

If you use the option -p all with fw monitor it will capture a matched packet every time it transits from one chain module to another; on a typical firewall a single accepted packet will be displayed at least 20 times, so make sure you apply a very tight and specific filter to traffic that you are trying to capture in this fashion.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Timothy_Hall
Champion
Champion

Think of iIoO as different stages of processing on the firewall, but bear in mind that these four inspection/capture points are only relevant to traffic that is not accelerated at all and is going through the Firewall Path (F2F); this is what the command fw ctl chain is showing.  Unaccelerated packets that are permitted through the firewall will cross all four capture points.  Traffic that is partially or fully accelerated (via the PXL or SXL paths, respectively) takes a "shorter" path across the firewall as shown in the diagram below excerpted from my book:

Not every Firewall Path operation below has its own dedicated chain module, and many of these operations occur inside the same chain module.  The vast majority of firewall security operations (and possible drops) happen on the inbound/client side of the firewall kernel between "i" and "I" such as:

  • Inbound Anti-spoofing
  • Geo Policy
  • HTTPS/VPN decryption
  • Connections state table lookups
  • Access Control policy layer evaluation
  • Destination IP NAT
  • Threat Prevention policy layer evaluation

Between "I" and "o" the Gaia IP driver performs routing.

Between "o" and "O" on the outbound/server side of the firewall kernel, the following types of operations occur:

  • Outbound Anti-spoofing
  • HTTPS/VPN encryption
  • Source IP NAT

Obviously things get a lot more complicated if the traffic is accelerated; you can get a basic sense of how much traffic is accelerated on your firewall by running fwaccel stats -s.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(3)
RickHoppe
Advisor

In addition to iIoO we also have “e” and “E” with R80.10, which is discussed here: https://community.checkpoint.com/thread/6176-fw-monitor-inspection-point-e-or-e

My blog: https://checkpoint.engineer
0 Kudos
Gaurav_Pandya
Advisor

Yes. “e” and “E” comes in picture only when we monitor traffic flow of IPSEC VPN.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events