Packet Flow Query - FW Inspection

cancel
Showing results for 
Search instead for 
Did you mean: 

Packet Flow Query - FW Inspection

L1 Bithead

Hi Everyone,

 

I've been madly studying the Packet Flow Diagram that outlines the different checks/stages that a Packet goes through via a PA FW and I had a question with the 3rd check in the Ingress phase called 'FW Inspection applicable'. If Inspection is applicable then it carries into the IPSec/SSL VPN tunnel check but if Inspection is not applicable I see it go directly to the Forwarding/Egress stage.

 

I was hoping to understand what scenarios FW Inspection would be disabled thus triggering this type of path?

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

Thanks for that... yet I do not believe that document is 100% accurate (although it is hugely popular)

 

This is what happens at the ingress stage:  Note, there is no bypassing slow/fastpath, as shown in the Day in a Life of a Packet.

 

SteveCantwell_0-1624381293972.png

 

I am only stating that a packet could be inbound towards the physical interface and we exam the packet to see if the DestAddr is behind the FW.

 

It is possible that arps/broadcasts would be seen by the FW, agreed, but the FW would not respond.

It is possible that intrazone traffic could be ingressed, be seen by the FW, and then egress from the same interface that the packet just ingressed from, I guess, that would bypass any FW processing, because there would not be any FW processing needed.

Help the community: Like helpful comments and mark solutions

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello there

 

There are a few diagrams and training materials that detail the Packet Flow Logic.  Can you share a screen share or snippet to ensure we are all discussing the same thing?  I am aware of the flow logic, and after a packet ingress, it could hit IPSec/SSL VPN traffic or it goes slowpath or fast path.  So either a VPN is found, or it is not, and we would continue analysis.

 

This is where I am getting confused.  Just show/point out specifically where you have questions, and we will be glad to assist you.

Help the community: Like helpful comments and mark solutions

Cyber Elite
Cyber Elite

Thanks for that... yet I do not believe that document is 100% accurate (although it is hugely popular)

 

This is what happens at the ingress stage:  Note, there is no bypassing slow/fastpath, as shown in the Day in a Life of a Packet.

 

SteveCantwell_0-1624381293972.png

 

I am only stating that a packet could be inbound towards the physical interface and we exam the packet to see if the DestAddr is behind the FW.

 

It is possible that arps/broadcasts would be seen by the FW, agreed, but the FW would not respond.

It is possible that intrazone traffic could be ingressed, be seen by the FW, and then egress from the same interface that the packet just ingressed from, I guess, that would bypass any FW processing, because there would not be any FW processing needed.

Help the community: Like helpful comments and mark solutions

View solution in original post

With arp I agree (even though I don't know exactly). Maybe also routing protocol traffic is taking that path. But in both cases it wouldn't be as this path is showing. There definately is packet processing involved - simply not the same processing as "normal" traffix has to go through.

"Normal" traffic which arrives at an interface and has the same egress interface also is precessed / inspected by the firewall, so - as far as I know - there is no packet in and directly out for such traffic.

 

Maybe @jdelio or @reaperPANgurus could add some more information here about what traffic is meant by this direct path between ingress and egress stage?

Hey Steve, Interesting to hear your thoughts on the "Day in the life of a packet" diagram. That diagram you included looks fairly clear around the absence of the "FW Inspection" Process. 

Any chance you should share that diagram? I'm keen to take a look at it as it sounds more accurate than the "Day in the life" diagram.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!