Moti Sagey

Check Point Threat Prevention Packet Flow and Architecture

Discussion created by Moti Sagey Moderator on Apr 25, 2017
Latest reply on Sep 28, 2017 by Moti Sagey

Check Point Security Gateway Architecture and Packet Flow


This document describes the packet flow in a Check Point Next Generation Threat Prevention gateway. Stateful inspection, network and port address translation (NAT), Virtual Private Network (VPN) functions and forwarding are applied per-packet on the inbound and outbound interfaces of the device. State-related information is extracted from packets and maintained in dynamic state tables to evaluate subsequent connection attempts. When possible, throughput and session rate are accelerated by a security acceleration (SecureXL) module.


Session-based processing enforces advanced access control and threat detection and prevention capabilities. To do this we assemble packets into a stream, parse the stream for relevant content and then security modules (Software Blades) inspect the content. When possible, a common pattern matcher does simultaneous inspection of the content for multiple security modules. In multi-core systems this processing is distributed amongst the cores to provide near linear scalability on each additional core.


Security modules use a local cache to detect known threats. This local cache is backed up with real-time lookups of an online cloud service. The result of cloud lookups are then cached in the kernel for subsequent lookups. Cloud assist also enhances unknown threat detection and prevention. In particular a file whose signature is not known in a local cache is sent to our sandbox cloud service for processing where compute, disk and memory are virtually unlimited. Our sandboxing technology, SandBlast Threat Emulation, identifies threats in their infancy before malware has an opportunity to deploy and evade detection. If the protocol requires immediate delivery as is the case with HTTP/S, we extract active content from the file and deliver only safe content to the user while the emulation happens in the background. Newly discovered threats are sent to the cloud database to protect other Check Point connected gateways.


Security is applied at every layer and networking, policy lookup, protocol decoding, and content security is performed only once.


Content for this document came from the following SecureKnowledge articles. More information is available in the SKs.


source: sk116255