This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ahmedaburaihan
Explorer
15 hours ago

Firewall-Blades Order of Operation

Hallo Mates

What is the order of operation of Firewall-Blades in a normal environment? 

Let suppose a packet from Internet enters an OUT Interface of a Firewall, How does the Firewall deal with it?

- Does the Policy/Rule is checked against.

- Does the Threat Prevention Module works first?

... and so on. 

 

I would be grateful for a detailed answer in this regard. 

 

Thank you, 

A. 

0 Kudos
4 Replies
_Val_
Admin
Admin
9 hours ago

This pic should answer your quesiton

 

Screenshot 2025-01-16 at 15.59.18.png

ahmedaburaihan
Explorer
8 hours ago
In response to _Val_

Yes, thank you for the pic. Could you please also put some light on this? 

0 Kudos
_Val_
Admin
Admin
8 hours ago
In response to ahmedaburaihan

It depends. You asked about the order of different blade enforcement.

When the packet comes to your GW, it is being inspected before forwarding. The first action is anti-spoofing. Then, and even before it is filtered through the security policy, TLS inspection policy is applied, if the feature is enabled on your GW.

The next step is your Security policy in combination with Application Control, URL filtering, and Content Inspection if they are used. If the result is Accept action, the next step is Threat Prevention: AV, IPS, and anything else you have in your Threat Prevention Policy.

The whole logic is linear, without loops.

0 Kudos
Bob_Zimmerman
Authority
Authority
5 hours ago
In response to _Val_

Two noteworthy items are missing from that diagram: VPN decisions (like flagging a packet for encryption to a given VPN peer) and NAT.

My memory is VPN decisions are made between antispoofing and HTTPS inspection. This is before any address translation can happen, and it affects which addresses you need to include in a firewall's encryption domain.

NAT rule matching is done with the firewall policy matching, but decisions aren't actually applied until later (after the Threat Emulation/Extraction part of this diagram). All rules should be written based on how the traffic will look when it arrives at the firewall.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events