Content Security Service Process

This section describes the process of the content security service.

If the content security service is configured in the security policy matched by traffic, content security detection must be performed on the traffic. Content security detection involves a series of steps, as shown in Figure 1.

Figure 1 Content security service process

The FW uses the high-performance intelligent awareness engine (IAE) for unified detection and processing. The specific process is as follows:

1. For SSL-encrypted traffic, the FW decrypts the traffic first and then performs content security detection.
2. Performs IP fragment reassembly and TCP flow reassembly on packets to ensure that subsequent packets are in sequence and do not overlap.
3. After the packets are reassembled, the FW identifies the protocols and applications of the traffic. The identified applications can be used by security policies and traffic policies.
4. After identifying the protocols, the FW performs deep decoding on the protocols. In this phase, the fields or contents required for the subsequent content security service are parsed at a time, which greatly improves the detection speed.

5. The FW performs content security check based on the configured content security service.

   

   Various services have different detection objects, such as files for antivirus and URLs for URL filtering. Therefore, there is no strict sequence for service processing. The figure shows only general service categories.

6. For decrypted SSL traffic, the FW encrypts the traffic after content security check and then forwards the traffic.