Check Point Firewall Packet Flow

There are many SKs and diagrams available on the internet as well as on the Check Point portal describing the packet flow of a Check Point firewall. However, most Check Point SKs provide a single diagram, which can be complex to understand. This document aims to explain packet flow step by step with the help of diagrams, making it easier to grasp the logical flow of packets through a Check Point firewall.

Any suggestions for improvement are most welcome.

Basic Packet Flow

The diagram below outlines the basic packet flow through a Check Point firewall:

1. Packet received on the Ingress Interface

2. Stateless Inspection

3. SecureXL processing

4. Firewall Rule Base inspection

5. NAT (Network Address Translation) processing

6. Content Inspection

7. Route Lookup

8. Packet forwarded to the Egress Interface

Content Inspection

Content Inspection is a complex process in a Check Point firewall, involving multiple security blades that perform various checks on packets. These security blades include:

· URL Filtering

· Anti-Bot

· Application Control

· Antivirus Scanning

· Threat Prevention

Each blade inspects traffic based on policies defined by the administrator. Content Inspection ensures that malicious content is detected and blocked before reaching the internal network.

CoreXL and Acceleration Path

Before CoreXL was introduced (pre-R65 versions), firewall policy inspection was performed using a single CPU core. This created a bottleneck, leading to performance limitations. To leverage multi-core platforms and improve efficiency, SecureXL and CoreXL were introduced.

SecureXL

SecureXL offloads security decision processing and VPN encryption to dedicated computation resources, either on separate CPU cores or dedicated hardware components. SecureXL enables packet acceleration, allowing certain connections to bypass the firewall kernel partially or completely.

CoreXL

CoreXL allows multiple CPU cores to handle different aspects of firewall operations, improving scalability and performance. With Content Inspection, we can classify packet flow through a security gateway into three distinct paths:

1. Firewall (FW) Path

2. Accelerated Path

3. Medium Path

Firewall (FW) Path

When acceleration is not possible or is disabled, each packet in the connection passes through the Firewall Kernel Inspection and sometimes through the Content Inspection block, if required by the policy. This is the most resource-intensive path but ensures complete inspection.

Accelerated Path

Also known as the Fast Path, the Accelerated Path is used when a connection can be fully processed by SecureXL. When active, all packets within the connection bypass the Firewall Kernel and Content Inspection, significantly improving performance.

Medium Path

The Medium Path is a hybrid mode, where the connection setup (TCP handshake) is accelerated using SecureXL, while the actual data flow is processed through the Content Inspection block.

The flow in the Medium Path follows this sequence:

1. TCP Handshake (SYN, SYN-ACK, ACK) – Fully accelerated using SecureXL.

2. Data Flow – Processed by a firewall worker instance (FWK) for Content Inspection.

3. Connection Termination (RST, FIN, FIN-ACK) – Handled by SecureXL, as they do not contain any data requiring inspection.

This approach balances security with performance, ensuring content-based security checks are applied without unnecessarily impacting overall network throughput.