Solved: Re: Check Point Inspection points-iIoO

SriNarasimha005 · ‎2018-03-11

Hi Experts,

Thank you all for helping us. Could you guys please assist on iIoO - Checkpoint Inspection points. Even Checkpoint doesn't provide much info (Shown below). Like where Anti-spoofing/Access-rule/NAT/Routing is applied @ each stage of iIoO. Please assist.

Timothy_Hall · ‎2018-03-12

Think of iIoO as different stages of processing on the firewall, but bear in mind that these four inspection/capture points are only relevant to traffic that is not accelerated at all and is going through the Firewall Path (F2F); this is what the command fw ctl chain is showing. Unaccelerated packets that are permitted through the firewall will cross all four capture points. Traffic that is partially or fully accelerated (via the PXL or SXL paths, respectively) takes a "shorter" path across the firewall as shown in the diagram below excerpted from my book:

Not every Firewall Path operation below has its own dedicated chain module, and many of these operations occur inside the same chain module. The vast majority of firewall security operations (and possible drops) happen on the inbound/client side of the firewall kernel between "i" and "I" such as:

Inbound Anti-spoofing
Geo Policy
HTTPS/VPN decryption
Connections state table lookups
Access Control policy layer evaluation
Destination IP NAT
Threat Prevention policy layer evaluation

Between "I" and "o" the Gaia IP driver performs routing.

Between "o" and "O" on the outbound/server side of the firewall kernel, the following types of operations occur:

Outbound Anti-spoofing
HTTPS/VPN encryption
Source IP NAT

Obviously things get a lot more complicated if the traffic is accelerated; you can get a basic sense of how much traffic is accelerated on your firewall by running fwaccel stats -s.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

PhoneBoy · ‎2018-03-11

You can see the exact order of operations on your gateway by typing fw ctl chain on your gateway.

The exact options that will show will depend on what features are enabled.

in chain refers to what happens between "little i" and "big I".

out chain refers to what happens between "little o" and "big O".

fw is the access policy.

Anti-spoofing I believe is done as part of stateless verifications.

What happens after "big I" but before "little o"

Destination NAT (If "Translate destination on client side" Global Property is set)
Routing

[Expert@R8010:0]# fw ctl chain
in chain (17):
0: -7ffffff0 (ffffffff8903d8d0) (00000001) tcpt inbound (tcp_tun)
1: -7f800000 (ffffffff88877f40) (ffffffff) IP Options Strip (in) (ipopt_strip)
2: - 2000000 (ffffffff89018bb0) (00000003) vpn decrypt (vpn)
3: - 1fffffa (ffffffff89036620) (00000001) l2tp inbound (l2tp)
4: - 1fffff8 (ffffffff88879790) (00000001) Stateless verifications (in) (asm)
5: - 1fffff2 (ffffffff890586c0) (00000003) vpn tagging inbound (tagging)
6: - 1fffff0 (ffffffff89017630) (00000003) vpn decrypt verify (vpn_ver)
7: - 1000000 (ffffffff8895c0b0) (00000003) SecureXL conn sync (secxl_sync)
8: 0 (ffffffff88814ac0) (00000001) fw VM inbound (fw)
9: 10 (ffffffff8882a790) (00000001) fw accounting inbound (acct)
10: 2000000 (ffffffff89016bd0) (00000003) vpn policy inbound (vpn_pol)
11: 10000000 (ffffffff88959f40) (00000003) SecureXL inbound (secxl)
12: 21500000 (ffffffff8ad9b960) (00000001) RTM packet in (rtm)
13: 7f600000 (ffffffff8886cf30) (00000001) fw SCV inbound (scv)
14: 7f730000 (ffffffff88a8e6f0) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (ffffffff88cacfb0) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (ffffffff88878300) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (17):
0: -7f800000 (ffffffff88877f40) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1ffffff (ffffffff89015110) (00000003) vpn nat outbound (vpn_nat)
2: - 1fffff0 (ffffffff88cad1f0) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff88a8e6f0) (00000001) passive streaming (out) (pass_str)
4: - 1ff0000 (ffffffff890586c0) (00000003) vpn tagging outbound (tagging)
5: - 1f00000 (ffffffff88879790) (00000001) Stateless verifications (out) (asm)
6: - 1ff (ffffffff88e78d50) (00000001) NAC Packet Outbound (nac_tag)
7: 0 (ffffffff88814ac0) (00000001) fw VM outbound (fw)
8: 2000000 (ffffffff890154e0) (00000003) vpn policy outbound (vpn_pol)
9: 10000000 (ffffffff88959f40) (00000003) SecureXL outbound (secxl)
10: 1ffffff0 (ffffffff89037350) (00000001) l2tp outbound (l2tp)
11: 20000000 (ffffffff89015d80) (00000003) vpn encrypt (vpn)
12: 24000000 (ffffffff8ad9b960) (00000001) RTM packet out (rtm)
13: 60000000 (ffffffff8903e0c0) (00000001) tcpt outbound (tcp_tun)
14: 7f000000 (ffffffff8882a790) (00000001) fw accounting outbound (acct)
15: 7f700000 (ffffffff88cad3e0) (00000001) TCP streaming post VM (cpas)
16: 7f800000 (ffffffff88878300) (ffffffff) IP Options Restore (out) (ipopt_res)

HeikoAnkenbrand · ‎2018-03-12

Chain points from your question for the first packet:

i <NAT on client side> I o O

i <Access-rule> I o O

i <Anti-spoofing> I o O

i I <Routing> o O

i I o <NAT on server side> O

Use sk98799:

The kernel is the bridge between the hardware and the OS. In the Check Point kernel, packets are inspected both in Inbound (ingress) and Outbound (egress) directions. Each direction has its own modules and order of inspection.

Handlers (INSPECT code) decide which modules will inspect the packet. The inspection operations in the Check Point kernel are divided into modules, and the modules are divided into chains. The number of chains on every Security Gateway is different. It depends on which blades/features are enabled on the Security Gateway.

To debug kernel packets:

# fw ctl chain

# fwaccel off

# fw monitor -p all -e "accept( >>>Filter <<<);"

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

s_milidrag · ‎2019-09-20

Hi Heiko,

Could you post fw monitor filters so I can capture & see all inspection points.

My goal is to capture traffic across the firewall with fw monitor and find all inspection points.

Thanks

SM

Timothy_Hall · ‎2019-09-20

You can see all the new inspection points in R80.20+ here:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-20-New-FW-Monitor-inspection-...

If you use the option -p all with fw monitor it will capture a matched packet every time it transits from one chain module to another; on a typical firewall a single accepted packet will be displayed at least 20 times, so make sure you apply a very tight and specific filter to traffic that you are trying to capture in this fashion.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Timothy_Hall · ‎2018-03-12

Think of iIoO as different stages of processing on the firewall, but bear in mind that these four inspection/capture points are only relevant to traffic that is not accelerated at all and is going through the Firewall Path (F2F); this is what the command fw ctl chain is showing. Unaccelerated packets that are permitted through the firewall will cross all four capture points. Traffic that is partially or fully accelerated (via the PXL or SXL paths, respectively) takes a "shorter" path across the firewall as shown in the diagram below excerpted from my book:

Not every Firewall Path operation below has its own dedicated chain module, and many of these operations occur inside the same chain module. The vast majority of firewall security operations (and possible drops) happen on the inbound/client side of the firewall kernel between "i" and "I" such as:

Inbound Anti-spoofing
Geo Policy
HTTPS/VPN decryption
Connections state table lookups
Access Control policy layer evaluation
Destination IP NAT
Threat Prevention policy layer evaluation

Between "I" and "o" the Gaia IP driver performs routing.

Between "o" and "O" on the outbound/server side of the firewall kernel, the following types of operations occur:

Outbound Anti-spoofing
HTTPS/VPN encryption
Source IP NAT

Obviously things get a lot more complicated if the traffic is accelerated; you can get a basic sense of how much traffic is accelerated on your firewall by running fwaccel stats -s.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

RickHoppe · ‎2018-07-15

In addition to iIoO we also have “e” and “E” with R80.10, which is discussed here: https://community.checkpoint.com/thread/6176-fw-monitor-inspection-point-e-or-e

My blog: https://checkpoint.engineer

Gaurav_Pandya · ‎2018-07-16

Yes. “e” and “E” comes in picture only when we monitor traffic flow of IPSEC VPN.

Are you a member of CheckMates?

Check Point Inspection points-iIoO