Bob Bent

Unified Policy Column-based Rule Matching

Discussion created by Bob Bent Expert on Nov 7, 2017
Latest reply on Oct 24, 2018 by Brian Deutmeyer

Under the hood in R77 the policy matching process for Application Control, anti-malware, DLP (Data Loss Prevention and NAT (Network Address Translation) is done using a column-based search process. In R80.10 this process is now used to match the connection against the unified policy. The resulting match is still the first rule to match from the top-down. This has not changed. Only the process for finding the match has changed.

 

For example consider a firewall policy with service objects defined in the Services & Applications column trying to match an SMTP connection. We match the SYN packet in the three-way handshake. The search order is;

  • Destination column
  • Source column
  • Service column

We search each column in the policy. At the end of the search we update a matched rules array. In each pass some rules can be eliminated from the matched rules array. When the rule base is large, this results in a more efficient matching process.

 

Consider a policy with only the firewall enabled and the rulebase match of the initial SYN packet in the TCP three way handshake from a client at 192.168.169.1 connecting to the SMTP service listening on port 25 of a mail server at 192.168.170.1.

 

In the destination column pass of rules 1 through 6, rules 1, 2 and 3 are eliminated from the matched rules array.

Unified Policy Destination Column Pass 

In the source column pass of rules 1 through 6, rules 4 and 5 are still possible matches in the matched rules array.

Unified Policy Source Column Pass

In the service column pass of rules 1 through 6, rule 4 is eliminated from the matched rules array and rule 5 is a final match.

Unified Policy Service Column Pass

For those who are familiar with Check Point chain modules, there isn’t a new Unified Policy chain module. The Unified Policy is enforced for the first packet in the VM chain module where the security rulebase was enforced before. In a Unified Policy rulebase with Application Control and Content Awareness enabled and a more complex policy there may not be a final match on the SYN packet. The rulebase will be executed on parser contexts in subsequent packets.

 

In Classifying Traffic to Match Unified Policy Column Objects we'll cover a more complex example like that in an example rulebase similar to the R80.10 online help rulebase matching example 3.

Outcomes