- Products
- Learn
- Local User Groups
- Partners
- More
Introduction to Lakera:
Securing the AI Frontier!
Quantum Spark Management Unleashed!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi Experts,
Thank you all for helping us. Could you guys please assist on iIoO - Checkpoint Inspection points. Even Checkpoint doesn't provide much info (Shown below). Like where Anti-spoofing/Access-rule/NAT/Routing is applied @ each stage of iIoO. Please assist.
Think of iIoO as different stages of processing on the firewall, but bear in mind that these four inspection/capture points are only relevant to traffic that is not accelerated at all and is going through the Firewall Path (F2F); this is what the command fw ctl chain is showing. Unaccelerated packets that are permitted through the firewall will cross all four capture points. Traffic that is partially or fully accelerated (via the PXL or SXL paths, respectively) takes a "shorter" path across the firewall as shown in the diagram below excerpted from my book:
Not every Firewall Path operation below has its own dedicated chain module, and many of these operations occur inside the same chain module. The vast majority of firewall security operations (and possible drops) happen on the inbound/client side of the firewall kernel between "i" and "I" such as:
Between "I" and "o" the Gaia IP driver performs routing.
Between "o" and "O" on the outbound/server side of the firewall kernel, the following types of operations occur:
Obviously things get a lot more complicated if the traffic is accelerated; you can get a basic sense of how much traffic is accelerated on your firewall by running fwaccel stats -s.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
You can see the exact order of operations on your gateway by typing fw ctl chain on your gateway.
The exact options that will show will depend on what features are enabled.
in chain refers to what happens between "little i" and "big I".
out chain refers to what happens between "little o" and "big O".
fw is the access policy.
Anti-spoofing I believe is done as part of stateless verifications.
What happens after "big I" but before "little o"
[Expert@R8010:0]# fw ctl chain
in chain (17):
0: -7ffffff0 (ffffffff8903d8d0) (00000001) tcpt inbound (tcp_tun)
1: -7f800000 (ffffffff88877f40) (ffffffff) IP Options Strip (in) (ipopt_strip)
2: - 2000000 (ffffffff89018bb0) (00000003) vpn decrypt (vpn)
3: - 1fffffa (ffffffff89036620) (00000001) l2tp inbound (l2tp)
4: - 1fffff8 (ffffffff88879790) (00000001) Stateless verifications (in) (asm)
5: - 1fffff2 (ffffffff890586c0) (00000003) vpn tagging inbound (tagging)
6: - 1fffff0 (ffffffff89017630) (00000003) vpn decrypt verify (vpn_ver)
7: - 1000000 (ffffffff8895c0b0) (00000003) SecureXL conn sync (secxl_sync)
8: 0 (ffffffff88814ac0) (00000001) fw VM inbound (fw)
9: 10 (ffffffff8882a790) (00000001) fw accounting inbound (acct)
10: 2000000 (ffffffff89016bd0) (00000003) vpn policy inbound (vpn_pol)
11: 10000000 (ffffffff88959f40) (00000003) SecureXL inbound (secxl)
12: 21500000 (ffffffff8ad9b960) (00000001) RTM packet in (rtm)
13: 7f600000 (ffffffff8886cf30) (00000001) fw SCV inbound (scv)
14: 7f730000 (ffffffff88a8e6f0) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (ffffffff88cacfb0) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (ffffffff88878300) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (17):
0: -7f800000 (ffffffff88877f40) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1ffffff (ffffffff89015110) (00000003) vpn nat outbound (vpn_nat)
2: - 1fffff0 (ffffffff88cad1f0) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff88a8e6f0) (00000001) passive streaming (out) (pass_str)
4: - 1ff0000 (ffffffff890586c0) (00000003) vpn tagging outbound (tagging)
5: - 1f00000 (ffffffff88879790) (00000001) Stateless verifications (out) (asm)
6: - 1ff (ffffffff88e78d50) (00000001) NAC Packet Outbound (nac_tag)
7: 0 (ffffffff88814ac0) (00000001) fw VM outbound (fw)
8: 2000000 (ffffffff890154e0) (00000003) vpn policy outbound (vpn_pol)
9: 10000000 (ffffffff88959f40) (00000003) SecureXL outbound (secxl)
10: 1ffffff0 (ffffffff89037350) (00000001) l2tp outbound (l2tp)
11: 20000000 (ffffffff89015d80) (00000003) vpn encrypt (vpn)
12: 24000000 (ffffffff8ad9b960) (00000001) RTM packet out (rtm)
13: 60000000 (ffffffff8903e0c0) (00000001) tcpt outbound (tcp_tun)
14: 7f000000 (ffffffff8882a790) (00000001) fw accounting outbound (acct)
15: 7f700000 (ffffffff88cad3e0) (00000001) TCP streaming post VM (cpas)
16: 7f800000 (ffffffff88878300) (ffffffff) IP Options Restore (out) (ipopt_res)
Chain points from your question for the first packet:
i <NAT on client side> I o O
i <Access-rule> I o O
i <Anti-spoofing> I o O
i I <Routing> o O
i I o <NAT on server side> O
Use sk98799:
The kernel is the bridge between the hardware and the OS. In the Check Point kernel, packets are inspected both in Inbound (ingress) and Outbound (egress) directions. Each direction has its own modules and order of inspection.
Handlers (INSPECT code) decide which modules will inspect the packet. The inspection operations in the Check Point kernel are divided into modules, and the modules are divided into chains. The number of chains on every Security Gateway is different. It depends on which blades/features are enabled on the Security Gateway.
To debug kernel packets:
# fw ctl chain
# fwaccel off
# fw monitor -p all -e "accept( >>>Filter <<<);"
Regards
Heiko
Hi Heiko,
Could you post fw monitor filters so I can capture & see all inspection points.
My goal is to capture traffic across the firewall with fw monitor and find all inspection points.
Thanks
You can see all the new inspection points in R80.20+ here:
If you use the option -p all with fw monitor it will capture a matched packet every time it transits from one chain module to another; on a typical firewall a single accepted packet will be displayed at least 20 times, so make sure you apply a very tight and specific filter to traffic that you are trying to capture in this fashion.
Think of iIoO as different stages of processing on the firewall, but bear in mind that these four inspection/capture points are only relevant to traffic that is not accelerated at all and is going through the Firewall Path (F2F); this is what the command fw ctl chain is showing. Unaccelerated packets that are permitted through the firewall will cross all four capture points. Traffic that is partially or fully accelerated (via the PXL or SXL paths, respectively) takes a "shorter" path across the firewall as shown in the diagram below excerpted from my book:
Not every Firewall Path operation below has its own dedicated chain module, and many of these operations occur inside the same chain module. The vast majority of firewall security operations (and possible drops) happen on the inbound/client side of the firewall kernel between "i" and "I" such as:
Between "I" and "o" the Gaia IP driver performs routing.
Between "o" and "O" on the outbound/server side of the firewall kernel, the following types of operations occur:
Obviously things get a lot more complicated if the traffic is accelerated; you can get a basic sense of how much traffic is accelerated on your firewall by running fwaccel stats -s.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
In addition to iIoO we also have “e” and “E” with R80.10, which is discussed here: https://community.checkpoint.com/thread/6176-fw-monitor-inspection-point-e-or-e
Yes. “e” and “E” comes in picture only when we monitor traffic flow of IPSEC VPN.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
12 | |
12 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
5 |
Tue 30 Sep 2025 @ 08:00 AM (EDT)
Tips and Tricks 2025 #13: Strategic Cyber Assessments: How to Strengthen Your Security PostureTue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFTue 30 Sep 2025 @ 08:00 AM (EDT)
Tips and Tricks 2025 #13: Strategic Cyber Assessments: How to Strengthen Your Security PostureThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY