This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
valterj
Contributor
‎2021-07-29 08:41 AM

fw monitor

Hi All.

 

Where can I find a document or content about fw monitor outputs? I'd like to understand more deeply all columns, and which represents each field (module, chain position, function pointer, mode, etc). 

Best Regards. 

Valter Junior

0 Kudos
3 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2021-07-29 01:55 PM

Hi @valterj,

Unfortunately, there is no overview of the chain modules.
However, you can find some information in the CCTE training materials.

I have written a few articles on the new parameters. Maybe that will help you:
- R8x - Security Gateway Architecture (Logical Packet Flow)
- R80.20 - New FW Monitor inspection points
- R80.20 - New Chain Modules?
- R80.20 - SecureXL + new chain modules + fw monitor

You can also found more information here:
Performance Tuning R81 Administration Guide -> fw monitor 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2021-07-29 01:57 PM
In response to HeikoAnkenbrand

SecureXL has been significantly revised in R80.20. It now works in user space. This has also led to some changes in "fw monitor"

There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine.

The new fw monitor chain modules (SecureXL) do not run in the virtual machine (vm).

SecureXL inbound (sxl_in)                 > Packet received in SecureXL from network
SecureXL inbound CT (sxl_ct)           > Accelerated packets moved from inbound to outbound processing (post routing)
SecureXL outbound (sxl_out)            > Accelerated packet starts outbound processing
SecureXL deliver (sxl_deliver)          > SecureXL transmits accelerated packet

There are more new chain modules in R80.20

vpn before offload (vpn_in)                > FW inbound preparing the tunnel for offloading the packet (along with the connection)
fw offload inbound (offload_in)           > FW inbound that perform the offload

fw post VM inbound  (post_vm)          > Packet was not offloaded (slow path) - continue processing in FW inbound

---

There are new fw monitor inspection points  when a packet passes through a R80.20+ Security Gateway:

Inspection point Name of fw monitor inspection point Relation to firewall VM Available since version
i Pre-Inbound Before the inbound FireWall VM                            (for example, eth1:i) always
I Post-Inbound After the inbound FireWall VM                               (for example, eth1:I) always
id Pre-Inbound VPN Inbound before decrypt                                          (for example, eth1:id) R80.20
ID Post-Inbound VPN Inbound after decrypt                                             (for example, eth1:ID) R80.20
iq Pre-Inbound QoS Inbound before QoS                                               (for example, eth1:iq) R80.20
IQ Post-Inbound QoS Inbound after QoS                                                  (for example, eth1:IQ) R80.20
o Pre-Outbound Before the outbound FireWall VM                           (for example, eth1:o) always
O Post-Outbound After the outbound FireWall VM                              (for example, eth1:O) always

e

oe

 Pre-Outbound VPN

Outbound before encrypt                                        (for example, eth1:e)    in R80.10

                                                                                (for example, eth1:oe)  in R80.20

R80.10

R80.20

E

OE

 Post-Outbound VPN

Outbound after encrypt                                           (for example, eth1:E)    in R80.10

                                                                                (for example, eth1:OE)  in R80.20

R80.10

R80.20
oq Pre-Outbound QoS Outbound before QoS                                             (for example, eth1:oq) R80.20
OQ Post-Outbound QoS Outbound after QoS                                                (for example, eth1:OQ) R80.20

 

---

New in R80.20+:

In Firewall kernel (now also SecureXL), each kernel is associated with a key witch specifies the type of traffic applicable to the chain modul.

 

Key Function
ffffffff all packets
00000001 stateful mode
00000002 wire mode
00000003 all packets
00000000 SecureXL offloading
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2021-07-29 02:20 PM
In response to HeikoAnkenbrand

Example for Client Side NAT flow:



chain_example.PNG

 

  • The packet that was sent to Server's NATed IP 172.16.0.100, arrives on the "Source/Client" side at the inbound interface eth0 of the Security Gateway (Pre-Inbound chains).
  • The packet passes the Security Policy rules (inside Virtual Machine).
  • If accepted, the connection is recorded in the Connections Table (Table ID 8158).
  • The packet is matched against NAT rules for the Destination. The packet is translated if a match is found - in this case, from IP 172.16.0.100 to IP 10.0.0.100.
  • The packet passes additional inspection (Post-Inbound chains).
  • The packet arrives at the TCP/IP stack of the underlying operating system, and is routed to the outbound interface eth1.
  • The packet goes through the outbound interface eth1 (Pre-Outbound chains).
  • The packet passes the Security Policy rules (inside Virtual Machine).
  • The packet is matched against NAT rules for the Source (if such rules exist). The packet is translated if a match is found - in this case, no translation occurs.
  • The packet passes additional inspection (Post-Outbound chains).
  • The packet leaves the Security Gateway machine.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top