Create a Post
Showing results for 
Search instead for 
Did you mean: 

What traffic does Gateway scan first, FW, IPS, threat etc ?

Jump to solution

Hi All

On a checkpoint Firewall, how is the traffic processed? does it look at the Firewall rules first, then pass to IPS, then threat prevention etc? Or are they all scanned at the same time?

Also, what about if you used the URL filtering blade, would you still need to allow a rule to anywhere under the Firewall, then use the URL to lock down to url's ?


1 Solution

Accepted Solutions
3 Replies
Logically, you can think of Access Control functions (e.g. firewall, APCL/URLF) happening before Threat Prevention functions (e.g. IPS, Anti-Bot, Threat Emulation).
However, the same engines underly almost all these functions, and connections are continually scanned against them.
How this might be represented in your policy depends on how you are leveraging policy layers and/or if we're talking about pre-R80 gateways.
0 Kudos

When teaching the CCSA class and covering ordered vs. inline layers, I use the following simplified order of operations to provide insight into how ordered layers are handled on R77.30 and earlier gateways, then map it into how these layers are represented in the Security Polices tab of the R80+ SmartConsole.  Sites that are upgraded into R80+ management start with their existing policies defined as ordered layers, which tends to be the case for most class attendees.

Keep in mind this list is used solely for discussing and understanding ordered layers in an introductory-level class and glosses over a LOT of internal details that are covered in Heiko's excellent article Some items on this list are executed by the gateway simultaneously, particularly elements of the Threat Prevention blades. This list assumes that all possible blades are enabled (except QoS) and does not take SecureXL into account at all.  Packets that reach the end of the list without being dropped at one of these steps will successfully exit the firewall towards their destination.  So with all the caveats laid out here it is:

Shadow Peak Policy Layers and Order of Operations - Ordered Layers

(packet arrives)

0) Antispoofing check via Firewall interface topology settings

1) Geo Policy

2) State table lookup - existing connection? If so jump to #5, otherwise goto #3

***Network Access Control
(inspect first packet of new connection - usually TCP SYN)

3) Firewall/Network Layer based on IP Address & Ports - Should we let the connection start?

4) NAT Policy - How should this connection be NATed?

(TCP three-way handshake completes)

5) HTTPS Inspection/IPSec VPN - need to decrypt?

6) APCL/URLF - Inspect data flow: Is this an allowed application or URL category?

7) Content Awareness - Is the permitted application/category carrying prohibited data types?

😎 Mobile Access Blade - Is this a Mobile Access VPN Connection, if so any additional restrictions?

***Threat Prevention
9) IPS: Does the inspected traffic contain any known attacks against client and/or servers?

10) Anti-Bot: Does the inspected traffic exhibit signs of host compromise?

11) Anti-virus: Does the inspected traffic contain known malware/viruses?

12) Sandblast: Threat Extraction - Strip all active content and deliver a sanitized copy

13) Sandblast: Threat Emulation - Detonate unknown executables in a sandbox and watch for carnage

14) HTTPS Inspection/IPSec VPN - need to encrypt?


Gaia 3.10 Immersion Self-paced Video Series
now available at