Could you please advise which chain module is enforcing security policy on the GW for unified policy case? Is it only up chain? What are the roles of fw vm chains in R80 GW?
There is no new chain module for Unified Policy.
Unified Policy is enforced for first packet in the VM chain module (where security rule base was enforced before).
Since Unified Policy rulebase might not be finally matched on SYN packets, followed rulebase execution will be done on various parser contexts (blade dependent - e.g: HTTP_1ST_RESPONSE for Application Control blade).
Thanks, Oded Bergman, indeed there is no chain module named UP. My original question was badly worded.
Please allow me to rephrase. There is a new kernel debug module UP. If my understanding is correct, it can print out kernel decisions related to enforcement of Unified Policies. Could you please advise if it is related to fw VM or also other chain modules?
Apparently this question was not answered, so I'm unmarking it from being correct.
Yes, the question is not answered. Thanks, Tomer.
UP is a new module including its own kernel debug flags.
UP debug in kernel include Unified Rulebase executions and enforcement.
Regarding chain modules, the only chain module UP is being executed from is the VM chain module.
Thanks a lot. One last question. Does it compliment the regular stateful inspection / rule base enforcement or replace it completely? I can see rule base match effort in the debug output, and it is quite different from the usual one for fm VM. Just trying to make sense out of it
UP (Unified Policy) module replaces the inspect rulebase (with the same and extra capabilities).
Thanks Tal, that is VERY interesting. Why then I can still see module fw in the fw ctl debug output? Up should replace it, according to your answer.
Why is it still there?
fw module debug flags include a lot of debugging none-related to the rulebase execution and enforcement (NAT debugs for example).
Tal Ben Avraham,
I remember you were saying that new connection module UnifiedPolicy was added which is executed from the fw VM.
[Expert@luka-eye]# fw ctl conn -a
Installed connections modules:No. Name Used Newconn Packet End Reload Dup Type Dup HandlerConnectivity level 0:0: Accounting yes 0: Accounting 00000000 00000000 f549e5d0 00000000 Special f549f5001: Authentication yes 1: Authentication f568b4b0 00000000 00000000 00000000 Special f568ba002: AutoTopology no 2: AutoTopology 00000000 00000000 00000000 00000000 None3: CPAS yes 3: CPAS 00000000 00000000 f5911af0 00000000 None4: FG-1 no 4: FG-1 00000000 00000000 00000000 00000000 None5: FWconn_stats no 5: FWconn_stats 00000000 00000000 00000000 00000000 None6: ISP-Redundancy no 6: ISP-Redundancy 00000000 00000000 00000000 00000000 None7: IcmpTunnel no 7: IcmpTunnel 00000000 00000000 00000000 00000000 None8: NAC yes 8: NAC f5af4720 00000000 00000000 00000000 Save9: NAT yes 9: NAT 00000000 00000000 f5638360 00000000 Special f5638a9010: PSL yes 10: PSL 00000000 00000000 f5702ef0 f56fe690 None11: RTM no 11: RTM 00000000 00000000 00000000 00000000 None12: RTM2 no 12: RTM2 00000000 00000000 00000000 00000000 None13: SPII yes 13: SPII f56aea40 00000000 f56b2ed0 f56b33c0 None14: SeqVerifier yes 14: SeqVerifier f54edea0 00000000 00000000 f54e8de0 Special f54edf5015: SynDoSDefender no 15: SynDoSDefender 00000000 00000000 00000000 00000000 None16: UnifiedPolicy yes 16: UnifiedPolicy f5efda00 00000000 f5efd620 00000000 Special f5efcfd017: VPN yes 17: VPN f5c94040 00000000 f5c7d330 00000000 Special f5c72ae0
Hope it will help to understand the flow.
Tal, what is a connection module? Any documentation reference?
Above statement is not accurate.
UnifiedPolicy (UP) is indeed a connection module. Generally means it saves information on the connection table.
It has nothing to do with the position (chain module) the rulebase is being executed.
Security policy is enforced by the VM chain module (as in pervious versions_.
In cases where rulebase requires data inspection (e.g: Applicative rulebsae) there will be first execution of the rulebase in the VM chain module followed by additional rulebase executions triggered by parsers upon connection data (i.e: TCP/UDP payload) being inspected.
Retrieving data ...