The blog provides Network Security Tips, Tricks, How To/Procedures. Products and areas not limited to Firewalls, Security, Check Point, Cisco, Nokia IPSO, Crossbeam, SecurePlatform, SPLAT, IP Appliance, GAiA, Unix/Linux.
Home / Check Point / Firewall / Check Point - View Active Chain In Security Gateway - INSPECT/Inspection - CLI

Check Point - View Active Chain In Security Gateway - INSPECT/Inspection - CLI

,
Check Point kernel inspects packets in both Inbound (ingress) and Outbound (egress) directions. Modules and order of inspection may vary for each direction.

INSPECT code is otherwise called as handlers decide the modules that will inspect the packet.

Each module of inspection operations are divided in to chains. Number of chains on Security Gateway varies based of blades/features that are enabled. All active chains can be seen using command "fw ctl chain".

Syntax:


fw ctl chain

Example:


[Expert@SecurityGateway] # fw ctl chain
in chain (15):
        0: -7f800000 (ee6a8710) (ffffffff) IP Options Strip (ipopt_strip)
        1: - 2000000 (ee42d540) (00000003) vpn decrypt (vpn)
        2: - 1fffff6 (ee6a9f20) (00000001) Stateless verifications (asm)
        3: - 1fffff2 (ee45ff30) (00000003) vpn tagging inbound (tagging)
        4: - 1fffff0 (ee42f040) (00000003) vpn decrypt verify (vpn_ver)
        5: - 1000000 (ee6f0b10) (00000003) SecureXL conn sync (secxl_sync)
        6:         0 (ee65c4b0) (00000001) fw VM inbound  (fw)
        7:         1 (ee6b5390) (00000002) wire VM inbound  (wire_vm)
        8:        10 (ee676990) (00000001) fw accounting inbound (acct)
        9:   2000000 (ee4317d0) (00000003) vpn policy inbound (vpn_pol)
        10:  10000000 (ee6f7c60) (00000003) SecureXL inbound (secxl)
        11:  7f600000 (ee69ddf0) (00000001) fw SCV inbound (scv)
        12:  7f750000 (ee7e07a0) (00000001) TCP streaming (in) (cpas)
        13:  7f800000 (ee6a8aa0) (ffffffff) IP Options Restore (ipopt_res)
        14:  7fb00000 (ee7c6b10) (00000001) HA Forwarding (ha_for)
out chain (13):
        0: -7f800000 (ee6a8710) (ffffffff) IP Options Strip (ipopt_strip)
        1: - 1ffffff (ee430580) (00000003) vpn nat outbound (vpn_nat)
        2: - 1fffff0 (ee7e05b0) (00000001) TCP streaming (out) (cpas)
        3: - 1ff0000 (ee45ff30) (00000003) vpn tagging outbound (tagging)
        4: - 1f00000 (ee6a9f20) (00000001) Stateless verifications (asm)
        5:         0 (ee65c4b0) (00000001) fw VM outbound (fw)
        6:         1 (ee6b5390) (00000002) wire VM outbound  (wire_vm)
        7:   2000000 (ee432210) (00000003) vpn policy outbound (vpn_pol)
        8:  10000000 (ee6f7c60) (00000003) SecureXL outbound (secxl)
        9:  20000000 (ee4324a0) (00000003) vpn encrypt (vpn)
        10:  7f000000 (ee676990) (00000001) fw accounting outbound (acct)
        11:  7f700000 (ee7e02c0) (00000001) TCP streaming post VM (cpas)
        12:  7f800000 (ee6a8aa0) (ffffffff) IP Options Restore (ipopt_res)
 
[Expert@SecurityGateway] #




Check Point - View Active Chain In Security Gateway - INSPECT/Inspection - CLI Check Point - View Active Chain In Security Gateway - INSPECT/Inspection - CLI Reviewed by Admin on 06:56:00 Rating: 5