If a "ping"-packet is dropped by FW1 Policy – on how many inspection Points do you see this packet in "fw monitor"?
If a "ping"-packet is dropped by FW1 Policy – on how many inspection Points do you see this packet in "fw monitor"?
A 'ping' packet that is dropped by the FW1 Policy will be seen at the 'i' inspection point only. This is because the packet reaches the ingress inspection point ('i'), where it is initially captured. Since the FW1 Policy drops the packet, it won't proceed to the later inspection points like 'I', 'o', or 'O'. Therefore, the packet will only be visible at the 'i' point in 'fw monitor'.
Correct answer: A (i only) fw worker acts between i and I, so if it droppes packet i will show the packet (as i is de facto in interface) and nothing will be shown on I (as fw worker will drop the packet before that). As for the NAT - it occures after o and before O.
• Packet is seen at position 'i' but not anywhere after that – Means the Firewall is dropping it or NAT has occurred and has changed the IP address or Port number. • Packet is seen at positions 'i' and 'I' but not after that – The Firewall has accepted the packet but the operating system probably could not route it. Check route table on Security Gateway
Correct
I think A
Not sure... https://community.checkpoint.com/t5/General-Topics/Check-Point-Inspection-points-iIoO/td-p/34938 i -- Access Control policy layer evaluation -- I So when it is dropped by policy will it be seen with I or not? https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_NextGenSecurityGateway_Guide/Topics-FWG/CLI/fw-monitor.htm -m I Post-Inbound only (after the packet passes a Chain Module in the inbound direction) The "passes" couldn't clarify if policy lookup = drop = pass or not pass chain module So it could be i or i I
Tried it out, and should be only only i. I see a drop log, but in fw monitor only flag i