Tuesday, February 3, 2015

A life of a Packet ( fortigate )

In this thread, I wanted to post a reminder of the life-of-a-packet ( by fortinet )  and what and where actions are taken in regards to a flow or connection between 2 interfaces.

In almost are firewalls, the object is to allow packets to flow across 2 interfaces regardless if the interface are L2 ( transparent mode ) or L3 ( routed aka NAT mode ) and a firewall-policy  has been configured to allow such activity aka  "accept action".

Take a look at this;

 I highlighted both DNAT and SNAT .

A DNAT  ( destination NAT ) for all practical reasons is a VIP. In  linux iptables , it's known as  pre-routing due to this action takes place before we looking into the routing information base.

Where as SNAT ( source NAT ) is always a process after we determine where/what interface to route out of ( post-routing ).

In all  cases regardless of direction, advance-security  features are applied after we found the matching policy and advance feature has been enabled per the policy. This could be a IPS sensor or URL filter,  etc....

uRPF checks is also critical since a modern firewall will drop packets that don't have a loose or strict route for the "source", but keep in mind  that unicast-routing is always determine by the "destination". A router/firewall without uRPF does not care too much about the source-address in the routing determination.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       /  \

No comments:

Post a Comment