This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pavan_kalal
Participant
‎2023-08-03 07:17 AM
Jump to solution

fw ctl chain

Hi folks,

 

Can anyone please explain about the fw monitor ?

traffic get inspected at 4 inspection point with fw monitor as below

i: - pre-inbound

I: - post-inbound

o: - pre-outbound

O: - post-outbound.

 

now i want to understand what are the parameters get checked at each inspection point ?

also want to understand how to reach (fw ctl chain).

 

Thanks.

 

 

 

(1)
3 Solutions

Accepted Solutions
the_rock
Legend
Legend
‎2023-08-03 07:23 AM
Jump to solution

Lots of posts about this, but below are 2 best ones (in my opinion)

Andy

https://community.checkpoint.com/t5/Security-Gateways/fw-ctl-chain/m-p/125264

https://community.checkpoint.com/t5/General-Topics/Check-Point-Inspection-points-iIoO/td-p/34938

No one explains this better than @Timothy_Hall 

View solution in original post

the_rock
Legend
Legend
‎2023-08-03 07:49 AM
Jump to solution

By the way, if you simply search for fw ctl chain in below field, so many useful things come up.

Andy

 

 

 

Screenshot_1.png

 

View solution in original post

0 Kudos
the_rock
Legend
Legend
‎2023-08-03 09:57 AM
In response to pavan_kalal
Jump to solution

That looks right to me.

Andy

View solution in original post

0 Kudos
(1)
7 Replies
the_rock
Legend
Legend
‎2023-08-03 07:23 AM
Jump to solution

Lots of posts about this, but below are 2 best ones (in my opinion)

Andy

https://community.checkpoint.com/t5/Security-Gateways/fw-ctl-chain/m-p/125264

https://community.checkpoint.com/t5/General-Topics/Check-Point-Inspection-points-iIoO/td-p/34938

No one explains this better than @Timothy_Hall 

pavan_kalal
Participant
‎2023-08-03 09:54 AM
In response to the_rock
Jump to solution

So as i gone though the @Timothy_Hall  Post, its mentioned that when non-accelerated packet travel through firewall  it get inspected/checked at four inspection point with fw monitor. 

Lets take below example to understand it more clearly.

 

Client ServerClient Server

so as per the above diagram client server architecture. we have firewall in between both, and iIoO mentioned.

lets take TCP three way handshake as example in this architecture 

SYN : - eth1 : - pre-inbound "i"

              eth1 : - post-Inbound "I"

              eth2 : - pre-outbound "o"

              eth2 : - post-Outbound "O"

 

SYN ACK : - eth2 : - pre-inbound "i"

                    eth 2 : - post-Inbound "I"

                    eth 1 : - Pre-outbound "o"

                    eth 1 : - post-Outbound "O"

 

ACK : -  eth1 : - pre-inbound "i"

               eth1 : - Post-inbound "I"

               eth2 : - pre-outbound "o"

               eth2 : - post-outbound "O" 

 

Now here at individual inspection point different2 parameters get checked/inspected as below.

 

Between i & I  (at client side)

  • Inbound anti-spoofing 
  • Geo policy
  • HTTPS/VPN decryption
  • State table lookup (connection table)
  • Access control policy
  • Destination NAT
  • TP policy

Between I & o

  • IP Routing

 

Between o & O (at Server side)

  • Outbound Anti-spoofing
  • HTTPS/VPN Encryption
  • Source NAT

             

 

Kindly correct if if i am going wrong .

 

Thanks !

 

 

0 Kudos
the_rock
Legend
Legend
‎2023-08-03 09:57 AM
In response to pavan_kalal
Jump to solution

That looks right to me.

Andy

0 Kudos
(1)
the_rock
Legend
Legend
‎2023-08-03 07:49 AM
Jump to solution

By the way, if you simply search for fw ctl chain in below field, so many useful things come up.

Andy

 

 

 

Screenshot_1.png

 

0 Kudos
pavan_kalal
Participant
‎2023-08-07 09:22 PM
In response to the_rock
Jump to solution

Hi @the_rock ,

can you please help me understanding the fw ctl output ?

I mean so far we discussed i understood about the inspection point’s of fw monitor and the different parameters get inspected at each point.

now i want to know how to read the output of fw ctl chain ?  Below 

 

[Expert@MyGW:0]# fw ctl chain
in chain (17):
        0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
        1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
        2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
        3: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
        4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
        5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
        6:         0 (ffffffff8b8506a0) (00000001) fw VM inbound  (fw)
        7:         2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
        8:         4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
        9:         5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
        10:        10 (ffffffff8b842710) (00000001) fw post VM inbound  (post_vm)
        11:    100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
        12:  22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
        13:  70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP  side)
        14:  7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
        15:  7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
        16:  7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (16):
        0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
        1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
        2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
        3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
        4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
        5: -     1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
        6:         0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
        7:        10 (ffffffff8b842710) (00000001) fw post VM outbound  (post_vm)
        8:  15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
        9:  21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
        10:  70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
        11:  7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
        12:  7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
        13:  7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
        14:  7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
        15:  7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
0 Kudos
the_rock
Legend
Legend
‎2023-08-08 05:31 AM
In response to pavan_kalal
Jump to solution

Bookmark this link, it explains EVERYTHING 🙂

Andy

https://dkcheckpoint.blogspot.com/2016/07/chapter-2-chain-module.html

(1)
the_rock
Legend
Legend
‎2023-08-03 10:31 AM
Jump to solution

@pavan_kalal 

Not to advertise Tim's book now, but I guarantee you, below is SOOOO WORTH the money. The amount of useful things you can find in the book cant be described with words. I strongly recommend it.

Andy

https://www.amazon.ca/Max-Power-2020-Optimization-Welch-Abernathy/dp/1652347704/ref=sr_1_1?crid=1U19...

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events