FireWall-1 FAQ: Inbound versus Eitherbound Inspection
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
(This FAQ is relevant to FireWall-1 4.1 and earlier as NG uses Eitherbound inspection and cannot be changed.)
"Inbound" means the packets are scanned as the packets come into the firewall, before any routing takes place, etc. In most cases, this is usually sufficient. "Eitherbound" means scans scan the packet both as the packet enters the gateway (before it is routed) and as it's leaving the gateway (after it is routed, before NAT occurs). There are two times I know of you would want to perform Eitherbound inspection, though someone else may come up with some other reason.
- On rules regarding the firewall. Specifically, those rules allowing the firewall to do certain things outbound. In these cases, change the "Install-on" field to "Src" and "Dst."
- When you are using Dual Network Address Translation (translating both the source and destination of the packet) with the authentication servers. A customer ran across a rather interesting bug where if an authenticated session times out and you are using Dual NAT, the connection will not correctly close on both sides if the connection times out. The only way for this to work correctly is to use eitherbound inspection. Installing on a specific target does not seem to work reliability (go figure).
In FireWall-1 4.1, the default is Eitherbound.