You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>How</strong> <strong>to</strong> change the position of the <strong>fw</strong> moni<strong>to</strong>r chain module<br />
In Capture masks we described <strong>fw</strong> moni<strong>to</strong>r capture masks. The positions were defined <strong>to</strong> be before<br />
the virtual machine and after the virtual machine. Although not wrong it is not completely right.<br />
Check Point <strong>use</strong>s a so called “kernel module chain” for different kernel modules which are working with<br />
the packets. The different modules (Firewall, VPN , FloodGate … ) are passing on a packet <strong>to</strong> the next<br />
module and building up a kind of chain this way.<br />
The example below shows how the packets is processed by different chain modules while entering and<br />
leaving the firewall machine:<br />
Inbound<br />
TCP/IP TCP/IP<br />
RTM/E2E<br />
IQ Engine<br />
FG Policy<br />
VPN Policy<br />
Accounting<br />
NAT<br />
VM<br />
VPN Verify<br />
VPN Dec<br />
Virtual Reass<br />
Wire Side Acct<br />
NIC<br />
Figure 15: FireWall chain – schematic overview<br />
Virtual Reass<br />
IP Side Acct<br />
VM<br />
NAT<br />
VPN Policy<br />
FG Policy<br />
VPN Enc<br />
IQ Engine<br />
Accounting<br />
RTM/E2E<br />
NIC<br />
Outbound<br />
You can take a look at the actual chain using the <strong>fw</strong> ctl chain command. This will show you the chain<br />
modules actually loaded on your machine and their order. Please note that there are more kernel<br />
modules in the chain which are not visible by <strong>fw</strong> ctl chain and also cannot be <strong>use</strong>d for <strong>fw</strong> moni<strong>to</strong>r<br />
kernel module positioning.<br />
<strong>How</strong> <strong>to</strong> <strong>use</strong> <strong>fw</strong> moni<strong>to</strong>r Page 19 of 70<br />
Revision: 1.01