This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Legend Legend
Legend
‎2023-10-20 12:20 PM

All the capture examples you gave are of traffic terminating at the firewall itself on port 4434 (not transiting to someplace like the Internet) .  I know this because the IP addresses you are using are standard for an Authorized Training Center training lab.  Do you see these extra letters for traffic transiting the firewall to someplace like the Internet?  My guess is you won't.

Theory 1: Some kind of NIC offloading or other kind of hardware acceleration is being indicated by these extra letters.  What is the driver type on the interface you took the captures on (ethtool -i)?  This could be possible if you are using the Mellanox/Lightspeed cards.  I don't see these extra letters in my fw monitor -e captures for the same kind of traffic in my training lab on R81.20 T26 (or R81.20 GA) with the vmxnet3 driver.

Theory 2: All traffic terminating at the firewall itself must be handled in the slowpath and is ineligible for any kind of acceleration.  In the old days when the fwmonitor chain module was inserted in the list of modules it was right at the top.  However in R80.20+, SecureXL has it's own "chain modules" now and as a result you can see the "i" fwmonitor has been pushed way down to number 12, so all kinds of things can happen prior to the "i" capture point.  Normally slowpath traffic must go through all chain modules.  But for the special case of traffic terminating at the gateway itself I'm wondering if the extra letter is indicating where a "skip" of chain modules ended, or more precisely from what chain module the fwmonitor module received it from (or sent it to) using the hexatrigesimal numbering system Bob mentioned.  There is no point in going through the SecureXL-based chain modules (and a few others) for non-transiting traffic to and from the firewall itself.  So either this "skip" is some new optimization, or has been always happening in past versions but fw monitor has now been updated to show us what is happening, because fwmonitor is so far from the "top" of the chain module sequence now and so much can happen before that "i" point (and others).

Or that second theory could be totally wrong, it is just a guess.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Who rated this post