The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Order of FireWall-1 Operations

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


For new connections, the order of operation for FireWall-1 (and surrounding pieces) is:

  1. Inbound anti-spoof check (verifies the source IP is included in the interfaces "valid addresses" setting)
  2. Inbound check against the rulebase (includes properties)
  3. Routing by the OS
  4. Outbound anti-spoof check (verifies the destination IP is included in the interfaces "valid addresses" setting). NG does not do this spoofing check.
  5. Outbound check against the rulebase (includes properties)
  6. Network Address Translation

In NG, if certain options are enabled, the order is different. See How NAT works in FireWall-1 NG for details. In this case, the order of operations looks like this:

  1. Inbound anti-spoof check (verifies the source IP is included in the interfaces "valid addresses" setting)
  2. Inbound check against the rulebase (includes properties)
  3. Network Address Translation
  4. Routing by the OS
  5. Outbound check against the rulebase (includes properties)

Usually, the rulebase is applied in one direction (usually inbound, NG defaults to eitherbound) unless you have changed the "Apply Gateway Rules to Interface Direction" property (does not exist in NG) or specified rules be installed on either "Src" (outbound) or "Dst" (inbound). Properties are always applied eitherbound. Once a packet matches a rule, it performs the action listed in the "action" field and no further rulebase processing occurs on that packet. For authenticated connections not going through security servers, the rules and properties are processed in this order:

  1. Rulebase Properties listed as "First." Matches are accepted and not logged.
  2. Rules 1 thru n-1 (assuming n rules) are processed and logged according to their individual settings.
  3. Rulebase Properties listed as "Before Last." Matches are accepted and not logged.
  4. Rule n is processed and logged according to its setting.
  5. Rulebase Properties listed as "Last." Matches are accepted and not logged.
  6. Implicit "Drop" rule is matched (no logging occurs here).

For connections authenticated through the security servers, rules are not processed in order. See What Order Does FW-1 Apply The Rulebase?

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.