Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
valterj
Participant

fw ctl chain

Hi All.

 

Is it available some document or content about fw ctl chain outputs? I'd like to understant deeply all columns and fields (module, chain position, function pointer, mode, etc). The concept about chain modules is a bit complicated.

Regards. 

0 Kudos
9 Replies
HeikoAnkenbrand
Champion
Champion

Hi @valterj,

Unfortunately, there is no overview of the chain modules.
However, you can find some information in the CCTE training materials.

I have written a few articles on the new parameters. Maybe that will help you:
- R8x - Security Gateway Architecture (Logical Packet Flow)
- R80.20 - New FW Monitor inspection points
- R80.20 - New Chain Modules?
- R80.20 - SecureXL + new chain modules + fw monitor

You can also found more information here:
Performance Tuning R81 Administration Guide -> fw monitor 



0 Kudos
HeikoAnkenbrand
Champion
Champion

SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor"

There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine.

The new fw monitor chain modules (SecureXL) do not run in the virtual machine (vm).

SecureXL inbound (sxl_in)                 > Packet received in SecureXL from network
SecureXL inbound CT (sxl_ct)           > Accelerated packets moved from inbound to outbound processing (post routing)
SecureXL outbound (sxl_out)            > Accelerated packet starts outbound processing
SecureXL deliver (sxl_deliver)          > SecureXL transmits accelerated packet

There are more new chain modules in R80.20

vpn before offload (vpn_in)                > FW inbound preparing the tunnel for offloading the packet (along with the connection)
fw offload inbound (offload_in)           > FW inbound that perform the offload

fw post VM inbound  (post_vm)          > Packet was not offloaded (slow path) - continue processing in FW inbound

---

There are new fw monitor inspection points  when a packet passes through a R80.20+ Security Gateway:

Inspection point Name of fw monitor inspection point Relation to firewall VM Available since version
i Pre-Inbound Before the inbound FireWall VM                            (for example, eth1:i) always
I Post-Inbound After the inbound FireWall VM                               (for example, eth1:I) always
id Pre-Inbound VPN Inbound before decrypt                                          (for example, eth1:id) R80.20
ID Post-Inbound VPN Inbound after decrypt                                             (for example, eth1:ID) R80.20
iq Pre-Inbound QoS Inbound before QoS                                               (for example, eth1:iq) R80.20
IQ Post-Inbound QoS Inbound after QoS                                                  (for example, eth1:IQ) R80.20
o Pre-Outbound Before the outbound FireWall VM                           (for example, eth1:o) always
O Post-Outbound After the outbound FireWall VM                              (for example, eth1:O) always

e

oe

Pre-Outbound VPN

Outbound before encrypt                                        (for example, eth1:e)    in R80.10

                                                                                (for example, eth1:oe)  in R80.20

R80.10

R80.20

E

OE

Post-Outbound VPN

Outbound after encrypt                                           (for example, eth1:E)    in R80.10

                                                                                (for example, eth1:OE)  in R80.20

R80.10

R80.20

oq Pre-Outbound QoS Outbound before QoS                                             (for example, eth1:oq) R80.20
OQ Post-Outbound QoS Outbound after QoS                                                (for example, eth1:OQ) R80.20

 

---

New in R80.20+:

In Firewall kernel (now also SecureXL), each kernel is associated with a key witch specifies the type of traffic applicable to the chain modul.

Key Function
ffffffff all packets
00000001 stateful mode
00000002 wire mode
00000003 all packets
00000000 SecureXL offloading

 

_Val_
Admin
Admin

I wonder where did you get this Heiko 🙂

HeikoAnkenbrand
Champion
Champion

I have changed it!
Sorry, copy and paste issue 😉

0 Kudos
_Val_
Admin
Admin

For example, if you add "fw monitor" chain hooks in a certain position, they will also appear as "fff...ff", which means, your understanding of that key is a guess. "00..01" is also just stateful mode, nothing else. "00..00" is indeed used to for re-injecting accelerated traffic back to SXL.

0 Kudos
the_rock
Authority
Authority

Heiko explained it better than anyone would...but sadly, there is no official CP document explaining the output of fw ctl chain as he stated.

Though, I did find below and it seems very informative:

FW CTL Chain explanation 

 

 

0 Kudos
HeikoAnkenbrand
Champion
Champion

A detailed description of the inspection points would be very helpful. Maybe is there a good PDF document or SK that Check Point can publish?

0 Kudos
_Val_
Admin
Admin

I appreciate your curiosity. The exact output is only relevant to kernel developers and TAC, and might only complicate things, but here is your answer:

  • First number - location of the module in the chain
  • Second number - pointer to the function in the chain
  • Third number - position, absolute numbers
  • Fourth number - in which mode this chain check:

1 – stateful mode

2 – wired mode

3 – all packets

fff...ff – al packets (same as 3)

 

 

0 Kudos
_Val_
Admin
Admin

Some additional info about the models themselves is here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Once again, unless you are debugging a support case, this is 90% irrelevant

0 Kudos