Most everything is explained here:

R80.x Security Gateway Architecture (Logical Packet Flow)‌

Hi Carlos,

Your drawing must have been hard work. Thanks for that!  But I think we should not confuse the users with too many different flowcharts.

I've been trying for a long time to create a reasonable overview R80.x Security Gateway Architecture (Logical Packet Flow) . Here Valeri Loukine  from Check Point supported me very well in backround and we tried to find an error-free flow. That was hard work and thanks again to Valeri Loukine, Dameon and Moti.

History:

09-27-2017 - Moti. published the original article for R77.x:

Checkmates: Check Point Threat Prevention Packet Flow and Architecture 

07-29-2018 - I tried to write a new article for R80.x and Valeri Loukine supported me.

R80.x Security Gateway Architecture (Logical Packet Flow)

08-06-2018 - Valeri Loukine has reworked the original article for R80.x by Moti.:

Security Gateway Packet Flow and Acceleration - with Diagrams 

And here are the references to the other sources for the flowchart:

SecureKnowledge: Best Practices - Security Gateway Performance 

Download Center: R80.10 Next Generation Threat Prevention Platforms

Download Center: R77 Security Gateway Packet Flow

Download Center: R77 Security Gateway Architecture

Support Center: Check Point Security Gateway Architecture and Packet Flow 

Checkmates: Check Point Threat Prevention Packet Flow and Architecture 

Checkmates: fw monitor inspection point e or E 

Checkmates: Infinity NGTP architecture 

Checkmates: R80.x Security Gateway Architecture (Content Inspection) 

Regards

Heiko

Thank You Helko.

These images removed from some slides that I am preparing for a presentation.  So it is "broken" into several.

I'll take a look at the message history. My intention is to use the numbers to remove some doubts. I've been looking at some documents but I had some doubts. 

For example:

Is the first packet "arriving" in the Firewall accelerated? Or should the first packet go through the Firewall that will perform the filters?
What happens in step 5?

Thank You!

Just a clarification on the following:
>>>08-06-2018 - Valeri has reworked the original article for R80.x by Moti:

Security Gateway Packet Flow and Acceleration - with Diagrams 

Actually, my post is based on SK articles Moti mentioned in his post. Re-work usually means something else.

Thanks for the answer. I've been looking at this document and I had some doubts.  For example: Is the first packet "arriving" in the Firewall accelerated? Or should the first packet go through the Firewall that will perform the filters?  But once, thank you.

Rather than us trying to look through your diagram and explain, it would be better if you just plainly state the questions you have.

This way, we're answering the right questions

However, I do recommend reading through the referenced documents, which does answer many of the questions you are likely to have.

But to answer your specific question here:

In Step 5-6 in your diagram, this is happening in SecureXL.

If the initial packet matches an accept/drop template, then the initial packet (and subsequent ones) will be accelerated.

If the packet does not match an accept or drop template, then the initial connection packet is sent F2F (not accelerated).

It's possible that later we determine the connection is eligible for acceleration, in which case future packets on that connection will be accelerated.

You can also look here https://community.checkpoint.com/docs/DOC-3061-security-gateway-packet-flow-and-acceleration-with-di... 

Thanks for the answer. I've been looking at this document and I had some doubts.  For example: Is the first packet "arriving" in the Firewall accelerated? Or should the first packet go through the Firewall that will perform the filters?  But once, thank you.

Please do not use pre-formatted in the comments, it is impossible to read it. I have edited your fond out above.

The answers to your question are already in the documentation. Please look here: ATRG: SecureXL 

Part 4 with diagrams addresses this particular question. 

Hi Carlos,

I don't think you can draw a reasonable flowchart in the area of content inspection. That's why I left it out of my Flowcharts. The problem is that a strong difference has to be made between Passive Streaming Library (PSL for F2F Path ,PXL for medium path) and Active Streaming (CPAS) . You describe PSL and PXL here? Real one must stand with SecureXL strongly differentiate whether it goes the F2F path, PXL path or the Acceleration path (without content inspection).

In the firewall chain you can see the PSL (PXL) and CPAS modules:

# fw ctl chain

...

in chain:
...
        14:  7f730000 (ee3485a0) (00000001) passive streaming (in) (pass_str)
        15:  7f750000 (ee55b7d0) (00000001) TCP streaming (in) (cpas)
...
out chain:
...
        3: - 1fffff0 (ee55ba00) (00000001) TCP streaming (out) (cpas)
        13:  7f700000 (ee55bbf0) (00000001) TCP streaming post VM (cpas)

...

There is another problem at the waypoint "Protocol Decoder". This is where Context Management Infrastructure (CMI) comes in. The "Protocol Decoder" does not assemble files, URL's and DNS requests. It only recognizes the protocols. The RAD daemon (DNS and URL) or the DLPU daemon (files) assemble the informations for evaluation of further blades RAD for (AntiBot, AntiVirus, URLF,...) and DLPU for (TED). There are other daemons in play here, too.

I once tried to summarize that in an overview. But I don't think you can reproduce this 100% in a drawing either. Here is the link to the article: R80.x Security Gateway Architecture (Content Inspection) 

Personally, I would not try to map the content inspection path as a flowchart.

You have a lot of work in the flowchart, so once again a lot of respect from my side.

Regards,

Heiko

Hello Heiko Ankenbrand, thank you for your help and response. Big hug.