9 Replies Latest reply on Feb 2, 2015 5:06 AM by ilindblo

    McAfee NGFW Order of Operation?

    totti10

      Hi all,

       

      When explaining about how McAfee NGFW process packet, in the McAfee NGFW Reference Guide page 86 has:

      "7. A routing decision is made (using the translated address). If the destination of the packet
      is changed by a NAT operation, the packet is checked against the Access rules again. If
      the packet is still allowed by an Access rule, the packet is let through the engine
      according to its priority and any bandwidth limits or guarantees that may have been
      defined. If the packet no longer matches an Access rule, the packet is dropped"

      I'm not sure what Access rules is checked again.

      And how VPN Traffic is applied to this NGFW Process? I mean where to put the VPN Process in this model.

       

      Thanks and Regards!

        • 1. Re: McAfee NGFW Order of Operation?
          lnurmi

          Hi,

           

          this is an unfortunate inaccuracy in the reference guide, it should be fixed in next version. In normal case, NAT does not cause any rule rechecking. The exception is that if a zone is used in original matching access rule and destination zone of the packet is changed by a NAT operation, the original packet is checked against the Access rules again using updated destination zone information.

           

          For route-based VPN the process is exactly the same.

          For policy-based VPN, the decision to put packet into VPN is done in access rule by the Use VPN action. The process is otherwise the same, except that NAT is only done if NAT is enabled in the VPN properties, and instead of route selection the packet is put into VPN tunnel (i.e. encapsulated).

           

          BR,

          Lauri

          • 2. Re: McAfee NGFW Order of Operation?
            totti10

            Hi Lauri,

             

            So, Does the ESP Packet is going to this process? I mean, in case that Firewall receives a VPN packet, what does firewall do? And where does the VPN decrytion happen?

             

            Regards!

            • 3. Re: McAfee NGFW Order of Operation?
              thyvarin

              Hi,

               

              When NGFW receives ESP packet from network with destination IP matching one of it's own endpoint IPs, packet is handed to IPsec daemon for processing first. It then checks if source IP and inbound SPI matches with one of the SAs in the SA table. If it there is existing IPsec SA, then packet is decrypted (assuming it's hasn't been altered, etc. in network) and the packet inside is processed by FW in the same way as if that packet had come to FW in clear text, i.e. like illustration 9.1 at page 85 on NGFW 5.7 Reference Guide for FW/VPN Role shows.

               

              BR,

              Tero

              • 4. Re: McAfee NGFW Order of Operation?
                totti10

                Hi Tero,

                 

                So the Connection Tracking will track the state of the decrypted packet, right?

                 

                Regards!

                • 5. Re: McAfee NGFW Order of Operation?

                  Yes, for the cleartext traffic decrypted from ESP, processing is essentially normal.

                  • 6. Re: McAfee NGFW Order of Operation?
                    totti10

                    Hi Ilindblo,

                     

                    I mean that the ESP Packet is handled by IPsec daemon and not go through all the process as normal packets, right? ESP packet is not checked again antispoofing, Connection Tracking, Access rule..., is it?

                     

                    Regards!

                    • 7. Re: McAfee NGFW Order of Operation?

                      ESP is processed somewhat differently from other common IP protocols. There are no connections with ESP traffic so there is no connection tracking per se. However, validity of ESP packet is still checked. They are not evaluated against access rules. Antispoofing check is done normally. Once the protected traffic is at hand, after decryption, processing is very similar to regular traffic, in addition to checking of correct tunnel etc.

                      • 8. Re: McAfee NGFW Order of Operation?
                        totti10

                        Hi all,

                        This is my summary, please correct me if i was wrong:

                        VPN Traffic.PNG

                         

                        Thanks and Regards!

                        • 9. Re: McAfee NGFW Order of Operation?

                          Yes, this is basically correct, though other checks are done as well.