cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
carl_t
Iron

What traffic does Gateway scan first, FW, IPS, threat etc ?

Jump to solution

Hi All

On a checkpoint Firewall, how is the traffic processed? does it look at the Firewall rules first, then pass to IPS, then threat prevention etc? Or are they all scanned at the same time?

Also, what about if you used the URL filtering blade, would you still need to allow a rule to anywhere under the Firewall, then use the URL to lock down to url's ?

cheers

1 Solution

Accepted Solutions

Re: What traffic does Gateway scan first, FW, IPS, threat etc ?

Jump to solution

This has been discussed deeply already here: R80.x Security Gateway Architecture (Logical Packet Flow)

3 Replies

Re: What traffic does Gateway scan first, FW, IPS, threat etc ?

Jump to solution

This has been discussed deeply already here: R80.x Security Gateway Architecture (Logical Packet Flow)

Admin
Admin

Re: What traffic does Gateway scan first, FW, IPS, threat etc ?

Jump to solution
Logically, you can think of Access Control functions (e.g. firewall, APCL/URLF) happening before Threat Prevention functions (e.g. IPS, Anti-Bot, Threat Emulation).
However, the same engines underly almost all these functions, and connections are continually scanned against them.
How this might be represented in your policy depends on how you are leveraging policy layers and/or if we're talking about pre-R80 gateways.
0 Kudos

Re: What traffic does Gateway scan first, FW, IPS, threat etc ?

Jump to solution

When teaching the CCSA class and covering ordered vs. inline layers, I use the following simplified order of operations to provide insight into how ordered layers are handled on R77.30 and earlier gateways, then map it into how these layers are represented in the Security Polices tab of the R80+ SmartConsole.  Sites that are upgraded into R80+ management start with their existing policies defined as ordered layers, which tends to be the case for most class attendees.

Keep in mind this list is used solely for discussing and understanding ordered layers in an introductory-level class and glosses over a LOT of internal details that are covered in Heiko's excellent article https://community.checkpoint.com/t5/General-Topics/R80-x-Security-Gateway-Architecture-Logical-Packe... Some items on this list are executed by the gateway simultaneously, particularly elements of the Threat Prevention blades. This list assumes that all possible blades are enabled (except QoS) and does not take SecureXL into account at all.  Packets that reach the end of the list without being dropped at one of these steps will successfully exit the firewall towards their destination.  So with all the caveats laid out here it is:

Shadow Peak Policy Layers and Order of Operations - Ordered Layers

(packet arrives)

0) Antispoofing check via Firewall interface topology settings

1) Geo Policy

2) State table lookup - existing connection? If so jump to #5, otherwise goto #3

***Network Access Control
(inspect first packet of new connection - usually TCP SYN)

3) Firewall/Network Layer based on IP Address & Ports - Should we let the connection start?

4) NAT Policy - How should this connection be NATed?

(TCP three-way handshake completes)

5) HTTPS Inspection/IPSec VPN - need to decrypt?

6) APCL/URLF - Inspect data flow: Is this an allowed application or URL category?

7) Content Awareness - Is the permitted application/category carrying prohibited data types?

😎 Mobile Access Blade - Is this a Mobile Access VPN Connection, if so any additional restrictions?

***Threat Prevention
9) IPS: Does the inspected traffic contain any known attacks against client and/or servers?

10) Anti-Bot: Does the inspected traffic exhibit signs of host compromise?

11) Anti-virus: Does the inspected traffic contain known malware/viruses?

12) Sandblast: Threat Extraction - Strip all active content and deliver a sanitized copy

13) Sandblast: Threat Emulation - Detonate unknown executables in a sandbox and watch for carnage

14) HTTPS Inspection/IPSec VPN - need to encrypt?

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com