Interface Dispatcher (SND)

R80.x Logical Packet Flow Heiko Ankenbrand - v1.2

yes
2)
Decrypt id
Decryption
Decryption
Decryption
no
iD
2)
Stateless Inspection

SecureXL yes yes

RST,
Connection FIN /AC …
Table Packet

no
no
no
yes yes
Establish Establish
Accept new NAT new
Template SecureXL Template SexureXL
Connection NAT yes Content no
no Inspection
needed
yes
Drop
1 Template Discard

no yes

i Slow Path (F2F) Medium Path (PXL) Fast Path

(Accelerated Path)

fw_worker0  x

yes
Connection
Tabel

no

Content Inspection
1 Firewall
Discard
Policy
no
yes

add Conn. Table

yes
NAT (Dest)
Table

no

yes
1 NAT
yes yes yes
Policy

Content Inspection
no add NAT Table other Security Modules

NAT TED HTTPS URLF

IPS AC Anti Bot

Record Connection

more In-Chain Modules AV more Security Modules

no
Content Passive Streaming
Inspection Library (PSL)
Classifier
APP1
yes 1 packet subsequent APP2
APP3
Content Inspection
Protocol Parsers
Observer

I
Protections Handler Security Policy
routing

action
o
fw_worker0  x
Log Connection IPS  prevent detect inactiv
yes
NAT (Src)
Table AC  drop allow

no
NAT

more SecureXL driver modules (routing, nat,…)

more Out-Chain Modules

O
yes
Encrypt e
Encryption
Encryption
Encryption
no
E

Interface

1 only the first packet in the firewall chain flow 2) Since version R80.20