Checkpoint process the packet in the ingress and the egress using two ways .
Basic Explanation
-Physical layer – ingress interface -Data Link Layer/Ethernet -Inspect Driver [inspect Engine] -Network Layer/IP Routing -Inspect Driver -Data Link Layer/Ethernet -Physical layer – egress interface
Brief Explanation
1. NIC hardware -The network card receives electrical signalling from the link partner.
2. NIC driver -Sanity checks -The NIC hardware decodes the signal and passes it to the operating system’s NIC driver via the PCI bus -The frame is converted to an mbuf entry and the frame headers are stored for later use. -NIC driver hands off the data to the operating system’s mbuf memory space
3. Operating system IP protocol stack -The OS performs sanity checks on the packet -Hand off to SXL if enabled, or to Firewall Kernel if not
4. SecureXL (if enabled) -SXL lookup is performed, if it matches, bypass the firewall kernel and proceed with (Operating system IP protocol stack, outbound side)
5. Firewall Kernel (inbound processing) -FW Monitor starts here (so, perhaps you need to disable secureXL [fwaccel off CAUTION] … ) -Connection state lookups, some protocol inspection, rulebase processing, antispoofing lookups etc -Processing order can be seen via fw ctl chain -Bypass complex inspection if not needed
6. Complex protocol inspection (AV is an example) -Leave the kernel and process under userland. -Enters back at this same stage if the traffic passed
(inbound processing stops here)
(outbound processing starts here)
7. Firewall Kernel -Route lookup -Check Point sanity checks etc -FW Monitor ends here -Pass to operating system
8. Operating system IP protocol stack -The OS performs sanity checks on the packet -Pass the mbuf to the NIC driver for the appropriate outbound interface
9. NIC driver -Tag the packet as an ethernet frame by adding MAC addresses for source and destination
10. NIC hardware -The NIC hardware encodes the signal and transmits it via wire