SECTION 1: OVERVIEW
- 2.1 PACKET PARSING
- 2.2 TUNNEL DECAPSULATION
- 2.3 IP DEFRAGMENTATION
SECTION 3: FIREWALL SESSION LOOKUP
- 3.1. ZONE PROTECTION CHECKS
- 3.2. TCP STATE CHECK
- 3.3. FORWARDING SETUP
- 3.4. NAT POLICY LOOKUP
- 3.5. USER- ID
- 3.6. DOS PROTECTION POLICY LOOKUP
- 3.7. SECURITY POLICY LOOKUP
- 3.8. SESSION ALLOCATION
SECTION 4: FIREWALL SESSION FAST PATH
- SECURITY PROCESSING
- CAPTIVE PORTAL
Section 1: Overview
Section 2: Ingress Stage
Note : During packet processing, the firewall may discard a packet because of a protocol violation. In certain cases, due to firewall attack prevention features, it discards packets without configurable options. Section 2.1 enumerates such cases when the firewall discards packets at this stage .
2.1 Packet Parsing
The ingress port, 802.1q tag, and destination MAC address are used as keys to lookup the ingress logical interface. If the interface is not found, the packet is discarded. The hardware interface counter “receive error” and global counter “flow_rcv_dot1q_tag_err” are incremented.
Next, the IP header is parsed (Layer-3).
- Mismatch of Ethernet type and IP version
- Truncated IP header
- IP protocol number 0
- TTL zero
- Land attack
- Ping of death
- Martian IP address
- IP checksum errors
- Mismatch of Ethernet type and IP version
- Truncated IPv6 header
- Truncated IP packet (IP payload buffer length less than IP payload field)
- JumboGram extension (RFC 2675)
- Truncated extension header
- TCP header is truncated.
- Data – offset field is less than 5
- Checksum error
- Port is zero
- Invalid combination of TCP flags
- UDP header truncated
- UDP payload truncated (not IP fragment and UDP buffer length less than UDP length field)
- Checksum error
2.2 Tunnel Decapsulation
- The firewall decapsulates the packet first and discards it if errors exist.
- The tunnel interface associated with the tunnel is assigned to the packet as its new ingress interface and then the packet is fed back through the parsing process, starting with the packet header defined by the tunnel type. Currently, the supported tunnel types are IP layer tunneling, thus packet parsing (for a tunneled packet) starts with the IP header.
2.3 IP Defragmentation
Section 3: Firewall Session Lookup
- Source and destination addresses: IP addresses from the IP packet.
- Source and destination ports: Port numbers from TCP/UDP protocol headers. For non-TCP/UDP, different protocol fields are used (e.g. for ICMP the ICMP identifier and sequence numbers are used, for IPSec terminating on device the Security Parameter Index (SPI) is used, and for unknown, a constant reserved value is used to skip Layer-4 match).
- Protocol: The IP protocol number from the IP header is used to derive the flow key .
- Security zone: This field is derived from the ingress interface at which a packet arrives.
Firewall Session Setup
ewall performs the following steps to set up a firewall session :
3.1. Zone Protection Checks
3.2. TCP State Check
- The seed to encode the cookie is generated via random number generator each time the data plane boots up.
- If an ACK packet received from the client does not match cookie encoding, it treats the packet as non-SYN packet .
- A session that passes SYN cookie’s process is subject to TCP sequence number translation because the firewall acted as a proxy for TCP 3-way handshake.
3.3. Forwarding Setup
nfiguration of the interface . The following table summarizes the packet-forwarding behavior:
Interface Mode
|
Forwarding action
|
Tap | Egress interface/zone is the same as the ingress interface/zone from a policy perspective. The firewall discards the packet. |
Virtual Wire | Egress interface is the peer interface configured in the virtual wire |
Layer – 2 |
Egress interface for the destination MAC is retrieved from the MAC table. If the information is not present, the frame is flooded to all interfaces in the associated VLAN broadcast domain, except for the ingress interface .
|
Layer – 3 | The firewall uses the route lookup table to determine the next hop, or discards the packet if there is no match. |
3.4. NAT Policy Lookup
- For destination NAT, the firewall performs a second route lookup for the translated address to determine the egress interface/zone.
- For source NAT, the firewall evaluates the NAT rule for source IP a
llocation. If the allocation check fails, the firewall discards the packet.
3.5. User–ID
3.6. DoS Protection Policy Lookup
3.7. Security Policy Lookup
3.8. Session Allocation
- VSYS session maximum reached, or
- The firewall allocates all available sessions.
- The firewall fills session content with flow keys extracted from the packet and the forwarding/policy results .
- Session state changes from INIT (pre-allocation) to OPENING (post-allocation) .
- If the application has not been identified, the session timeout values are set to default value of the transport protocol. You can configure these global timeout values from the Firewall’s device settings. Application specific timeout values override the global settings, and will be the effective timeout values for the session once application is identified .
- Firewall queries the flow lookup table to see if a match exists for the flow keys matching the session. If a flow lookup match is found (session with same tuple already exists), then this session instance is discarded as session already exists, else
- Session is added to the flow lookup table for both C2S and S2C flows and firewall changes the session’s state from OPENING to ACTIVE .
Section 4 : Firewall Session Fast Path
- If the session is in discard state, then the firewall discards the packet. The firewall can mark a session as being in the discard stat
e due to a policy action change to deny, or threat detection . - If the session is active, refresh session timeout .
- If the packet is a TCP FIN/RST, the session TCP half closed timer is started if this is the first FIN packet received (half closed session) or the TCP Time Wait timer is started if this is the second FIN packet or RST packet. The session is closed as soon as either of these timers expire.
- If NAT is applicable, translate the L3/L4 header as applicable.
4.1. Security Processing
- Application Layer Gateway (ALG) is involved .
- Application is tunneled application .
- Security rule has security profile associated.
4.2. Captive Portal
Section 5 : Application Identification (App–ID)
- Security policy lookup: The identified application as well as IP/port/protocol/zone/user/URL category in the session is used as key to find rule match.
- If the security policy has logging enabled at session start, the firewall generates a traffic log, each time the App-ID changes throughout the life of the session.
- If security policy action is set to allow and it has associated profile and/or application is subject to content inspection, then it passes all content through Content-ID .
- If security policy action is set to allow, the firewall performs a QoS policy lookup and assigns a QoS class based on the matching policy .
- If security policy action is set to allow and the application is SSL or SSH, perform a decryption policy lookup and set up proxy contexts if there is a matching decryption rule .
Section 6 : Content Inspection
- If inspection results in a ‘detection’ and security profile action is set to allow, or
- Content inspection returns no ‘detection’.
Section 7 : Forwarding/Egress
If the egress interface is a tunnel interface, then IPSec/SSL-VPN tunnel encryption is performed and packet forwarding is reevaluated.
Leave a Reply