This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Not applicable
‎2015-12-23 05:08 AM

UP kernel chain and policy enforcement

Hi all!

Could you please advise which chain module is enforcing security policy on the GW for unified policy case? Is it only up chain? What are the roles of fw vm chains in R80 GW? 

13 Replies
Oded_Bergman
Employee Alumnus
Employee Alumnus
‎2016-01-17 07:39 AM

There is no new chain module for Unified Policy.

Unified Policy is enforced for first packet in the VM chain module (where security rule base was enforced before).

Since Unified Policy rulebase might not be finally matched on SYN packets, followed rulebase execution will be done on various parser contexts (blade dependent - e.g: HTTP_1ST_RESPONSE for Application Control blade).

_Val_
Admin
Admin
‎2016-01-18 12:36 AM

Thanks, Oded Bergman, indeed there is no chain module named UP. My original question was badly worded.

Please allow me to rephrase. There is a new kernel debug module UP. If my understanding is correct, it can print out kernel decisions related to enforcement of Unified Policies. Could you please advise if it is related to fw VM or also other chain modules?

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2016-04-08 07:13 AM
In response to _Val_

Apparently this question was not answered, so I'm unmarking it from being correct.

0 Kudos
_Val_
Admin
Admin
‎2016-04-08 09:06 AM
In response to Tomer_Sole

Yes, the question is not answered. Thanks, Tomer.

0 Kudos
Tal_Ben_Avraham
Employee
Employee
‎2016-04-11 08:18 AM
In response to _Val_

Correct,

UP is a new module including its own kernel debug flags.

UP debug in kernel include Unified Rulebase executions and enforcement.

Regarding chain modules, the only chain module UP is being executed from is the VM chain module.

_Val_
Admin
Admin
‎2016-04-11 11:20 AM
In response to Tal_Ben_Avraham

Thanks a lot. One last question. Does it compliment the regular stateful inspection / rule base enforcement or replace it completely? I can see rule base match effort in the debug output, and it is quite different from the usual one for fm VM. Just trying to make sense out of it

0 Kudos
Tal_Ben_Avraham
Employee
Employee
‎2016-04-14 09:59 AM
In response to _Val_

UP (Unified Policy) module replaces the inspect rulebase (with the same and extra capabilities).

_Val_
Admin
Admin
‎2016-04-15 04:06 AM
In response to Tal_Ben_Avraham

Thanks Tal, that is VERY interesting. Why then I can still see module fw in the fw ctl debug output? Up should replace it, according to your answer.

Why is it still there?

0 Kudos
Tal_Ben_Avraham
Employee
Employee
‎2016-04-20 10:13 AM
In response to _Val_

fw module debug flags include a lot of debugging none-related to the rulebase execution and enforcement (NAT debugs for example).

0 Kudos
Alex_Sazonov
Employee
Employee
‎2017-06-27 10:11 PM
In response to Tal_Ben_Avraham

Tal Ben Avraham‌,

I remember you were saying that new connection module UnifiedPolicy was added which is executed from the fw VM.

[Expert@luka-eye]# fw ctl conn -a

Installed connections modules:
No. Name Used Newconn Packet End Reload Dup Type Dup Handler
Connectivity level 0:
0: Accounting yes 0: Accounting 00000000 00000000 f549e5d0 00000000 Special f549f500
1: Authentication yes 1: Authentication f568b4b0 00000000 00000000 00000000 Special f568ba00
2: AutoTopology no 2: AutoTopology 00000000 00000000 00000000 00000000 None
3: CPAS yes 3: CPAS 00000000 00000000 f5911af0 00000000 None
4: FG-1 no 4: FG-1 00000000 00000000 00000000 00000000 None
5: FWconn_stats no 5: FWconn_stats 00000000 00000000 00000000 00000000 None
6: ISP-Redundancy no 6: ISP-Redundancy 00000000 00000000 00000000 00000000 None
7: IcmpTunnel no 7: IcmpTunnel 00000000 00000000 00000000 00000000 None
8: NAC yes 8: NAC f5af4720 00000000 00000000 00000000 Save
9: NAT yes 9: NAT 00000000 00000000 f5638360 00000000 Special f5638a90
10: PSL yes 10: PSL 00000000 00000000 f5702ef0 f56fe690 None
11: RTM no 11: RTM 00000000 00000000 00000000 00000000 None
12: RTM2 no 12: RTM2 00000000 00000000 00000000 00000000 None
13: SPII yes 13: SPII f56aea40 00000000 f56b2ed0 f56b33c0 None
14: SeqVerifier yes 14: SeqVerifier f54edea0 00000000 00000000 f54e8de0 Special f54edf50
15: SynDoSDefender no 15: SynDoSDefender 00000000 00000000 00000000 00000000 None
16: UnifiedPolicy yes 16: UnifiedPolicy f5efda00 00000000 f5efd620 00000000 Special f5efcfd0
17: VPN yes 17: VPN f5c94040 00000000 f5c7d330 00000000 Special f5c72ae0

Hope it will help to understand the flow.

0 Kudos
_Val_
Admin
Admin
‎2017-06-29 12:09 AM
In response to Alex_Sazonov

Tal, what is a connection module? Any documentation reference?

0 Kudos
Tal_Ben_Avraham
Employee
Employee
‎2017-06-29 04:35 AM
In response to _Val_

Above statement is not accurate.

UnifiedPolicy (UP) is indeed a connection module. Generally means it saves information on the connection table.

It has nothing to do with the position (chain module) the rulebase is being executed.

0 Kudos
Tal_Ben_Avraham
Employee
Employee
‎2017-06-28 12:33 AM

Security policy is enforced by the VM chain module (as in pervious versions_.

In cases where rulebase requires data inspection (e.g: Applicative rulebsae) there will be first execution of the rulebase in the VM chain module followed by additional rulebase executions triggered by parsers upon connection data (i.e: TCP/UDP payload) being inspected.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events