Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Legend Legend
Legend

Think of iIoO as different stages of processing on the firewall, but bear in mind that these four inspection/capture points are only relevant to traffic that is not accelerated at all and is going through the Firewall Path (F2F); this is what the command fw ctl chain is showing.  Unaccelerated packets that are permitted through the firewall will cross all four capture points.  Traffic that is partially or fully accelerated (via the PXL or SXL paths, respectively) takes a "shorter" path across the firewall as shown in the diagram below excerpted from my book:

Not every Firewall Path operation below has its own dedicated chain module, and many of these operations occur inside the same chain module.  The vast majority of firewall security operations (and possible drops) happen on the inbound/client side of the firewall kernel between "i" and "I" such as:

  • Inbound Anti-spoofing
  • Geo Policy
  • HTTPS/VPN decryption
  • Connections state table lookups
  • Access Control policy layer evaluation
  • Destination IP NAT
  • Threat Prevention policy layer evaluation

Between "I" and "o" the Gaia IP driver performs routing.

Between "o" and "O" on the outbound/server side of the firewall kernel, the following types of operations occur:

  • Outbound Anti-spoofing
  • HTTPS/VPN encryption
  • Source IP NAT

Obviously things get a lot more complicated if the traffic is accelerated; you can get a basic sense of how much traffic is accelerated on your firewall by running fwaccel stats -s.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(3)
Who rated this post