How packet flows in Checkpoint firewall?

Checkpoint process the packet in the ingress and the egress using two CHAINS.


-Physical layer – ingress interface
-Data Link Layer/Ethernet
-Inspect Driver [inspect Engine] -Network Layer/IP Routing
-Inspect Driver
-Data Link Layer/Ethernet
-Physical layer – egress interface


1. NIC hardware
-The network card receives electrical signalling from the link partner.

2. NIC driver
-Sanity checks
-The NIC hardware decodes the signal and passes it to the operating system’s NIC driver via the PCI bus
-The frame is converted to an mbuf entry and the frame headers are stored for later use.
-NIC driver hands off the data to the operating system’s mbuf memory space

3. Operating system IP protocol stack
-The OS performs sanity checks on the packet
-Hand off to SXL if enabled, or to Firewall Kernel if not

4. SecureXL (if enabled)
-SXL lookup is performed, if it matches, bypass the firewall kernel and proceed with (Operating system IP protocol stack, outbound side)

5. Firewall Kernel (inbound processing)
-FW Monitor starts here (so, perhaps you need to disable secureXL [fwaccel off CAUTION] … )
-Connection state lookups, some protocol inspection, rulebase processing, antispoofing lookups etc
-Processing order can be seen via fw ctl chain
-Bypass complex inspection if not needed

6. Complex protocol inspection (AV is an example)
-Leave the kernel and process under userland.
-Enters back at this same stage if the traffic passed

(inbound processing stops here)

(outbound processing starts here)

7. Firewall Kernel
-Route lookup
-Check Point sanity checks etc
-FW Monitor ends here
-Pass to operating system

8. Operating system IP protocol stack
-The OS performs sanity checks on the packet
-Pass the mbuf to the NIC driver for the appropriate outbound interface

9. NIC driver
-Tag the packet as an ethernet frame by adding MAC addresses for source and destination

10. NIC hardware
-The NIC hardware encodes the signal and transmits it via wire