This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carl_t
Contributor
‎2019-09-20 01:45 AM
Jump to solution

What traffic does Gateway scan first, FW, IPS, threat etc ?

Hi All

On a checkpoint Firewall, how is the traffic processed? does it look at the Firewall rules first, then pass to IPS, then threat prevention etc? Or are they all scanned at the same time?

Also, what about if you used the URL filtering blade, would you still need to allow a rule to anywhere under the Firewall, then use the URL to lock down to url's ?

cheers

1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2019-09-20 01:53 AM
Jump to solution

This has been discussed deeply already here: R80.x Security Gateway Architecture (Logical Packet Flow)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

8 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-09-20 01:53 AM
Jump to solution

This has been discussed deeply already here: R80.x Security Gateway Architecture (Logical Packet Flow)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin
‎2019-09-21 09:46 AM
Jump to solution

Logically, you can think of Access Control functions (e.g. firewall, APCL/URLF) happening before Threat Prevention functions (e.g. IPS, Anti-Bot, Threat Emulation).
However, the same engines underly almost all these functions, and connections are continually scanned against them.
How this might be represented in your policy depends on how you are leveraging policy layers and/or if we're talking about pre-R80 gateways.
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-09-22 06:46 AM
Jump to solution

When teaching the CCSA class and covering ordered vs. inline layers, I use the following simplified order of operations to provide insight into how ordered layers are handled on R77.30 and earlier gateways, then map it into how these layers are represented in the Security Polices tab of the R80+ SmartConsole.  Sites that are upgraded into R80+ management start with their existing policies defined as ordered layers, which tends to be the case for most class attendees.

Keep in mind this list is used solely for discussing and understanding ordered layers in an introductory-level class and glosses over a LOT of internal details that are covered in Heiko's excellent article https://community.checkpoint.com/t5/General-Topics/R80-x-Security-Gateway-Architecture-Logical-Packe... Some items on this list are executed by the gateway simultaneously, particularly elements of the Threat Prevention blades. This list assumes that all possible blades are enabled (except QoS) and does not take SecureXL into account at all.  Packets that reach the end of the list without being dropped at one of these steps will successfully exit the firewall towards their destination.  So with all the caveats laid out here it is:

Shadow Peak Policy Layers and Order of Operations - Ordered Layers

(packet arrives)

0) Antispoofing check via Firewall interface topology settings

1) Geo Policy

2) State table lookup - existing connection? If so jump to #5, otherwise goto #3

***Network Access Control
(inspect first packet of new connection - usually TCP SYN)

3) Firewall/Network Layer based on IP Address & Ports - Should we let the connection start?

4) NAT Policy - How should this connection be NATed?

(TCP three-way handshake completes)

5) HTTPS Inspection/IPSec VPN - need to decrypt?

6) APCL/URLF - Inspect data flow: Is this an allowed application or URL category?

7) Content Awareness - Is the permitted application/category carrying prohibited data types?

8) Mobile Access Blade - Is this a Mobile Access VPN Connection, if so any additional restrictions?

***Threat Prevention
9) IPS: Does the inspected traffic contain any known attacks against client and/or servers?

10) Anti-Bot: Does the inspected traffic exhibit signs of host compromise?

11) Anti-virus: Does the inspected traffic contain known malware/viruses?

12) Sandblast: Threat Extraction - Strip all active content and deliver a sanitized copy

13) Sandblast: Threat Emulation - Detonate unknown executables in a sandbox and watch for carnage

14) HTTPS Inspection/IPSec VPN - need to encrypt?

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
CheckPointerXL
Advisor
Advisor
‎2022-02-04 09:31 AM
In response to Timothy_Hall
Jump to solution

Hello Timothy,

something not clear to me.

I added a Geo policy on top (Block Asia to my gw and my country).

Anyway, I can see IPS policy hitted by china (especially on port 443) and no reference to Access Policy.

I checked implied rules but no web services found.

So my question is: why that traffic is hitting my TP profile?

 

thanks !

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-02-04 02:24 PM
In response to CheckPointerXL
Jump to solution

Which version is your gateway and are you using legacy geo policy that has dependencies on IPS or are you using updatable geo objects in your access policy?

CCSM R77/R80/ELITE
0 Kudos
CheckPointerXL
Advisor
Advisor
‎2022-02-04 02:33 PM
In response to Chris_Atkinson
Jump to solution

Hello Chris,

I noticed this behavoir on different version that I installed (R80.40, R81, SMB).

Of course I mean Updatable Objects, sorry to miss this sentence.

My question is related to traffic flow: if i add an access policy on top of my rulebase with deny Country A to my Gw and my country, why IPS is involved in some logs for Country A and access policy seems to be bypassed?

Maybe i'm missing something

Thank you for your reply

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-02-04 07:11 PM
In response to CheckPointerXL
Jump to solution

Likely implied rules per sk105740.

CCSM R77/R80/ELITE
Timothy_Hall
Legend Legend
Legend
‎2022-02-05 06:27 AM
In response to CheckPointerXL
Jump to solution

As Chris said this is a special case because you are using Updatable Objects to block traffic specifically to your gateway, which has "First" implied rules allowing access to various portals such as captive portal, MAB, Gaia web interface, etc.  When these implied rules are matched they are not logged by default when they permit the traffic, which then allows it to reach your TP policy.

Interestingly the legacy Geo Policy is actually applied before any implied rules can be reached (as shown in my list above) and would outright block this traffic if configured to do so before ever reaching the Access Control policy or its implied rules.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events