USG6000E Packet Transfer Process
This section describes how a packet is processed and transmitted to the destination. It helps you better understand the configuration rules and skills.
Packet Transfer Process
A network device implements traffic processing by recognizing, forwarding, discarding, or modifying single packets. The FW processes packets based on the packet type and policies configured. This section describes the basic forwarding process of packets through the FW. The next section describes how the FW processes the content security service.
Figure 1 shows a typical process in which an IP packet is transmitted over the network.
During the packet transfer process, some fields in a packet need to be changed to implement certain features. For example, the FW changes the source or destination IP address carried in an IP packet in the network address translation (NAT) process. While in the security policy matching or routing table query process, the FW selects policies based on the IP address. Server address mapping is performed before security policy matching and routing table query, and source NAT is performed after security policy matching and routing table query, as shown in Figure 1. If an Internet user wants to access an intranet server, two NATs are performed for the access request:
- During server address mapping, the FW changes the destination IP address carried in the packet to the private IP address of the server to be accessed.
- During source NAT, the FW changes the source IP address to a private IP address that belongs to the same network segment as the server.
Then, the FW queries the routing table for the route to the outgoing interface based on the private IP address. When configuring security policies, you must configure the source IP address as a public IP address for the Internet user and configure the destination IP address as the real private IP address of the server.
During the packet transfer process, packet processing varies depending on the packet type and data configuration. Not all packets will be processed in the same way as illustrated in Figure 1. The whole process can be divided into three phases:
Basic Processing on Received Packets
The objective of the basic processing is to resolve the frame header and IP packet header carried in a packet. The packet header information will be used to perform basic security checks. The FW first determines whether the incoming interface is a Layer-2 or Layer-3 interface.
If it is a Layer-3 interface, the FW queries the routing table based on the destination IP address carried in the packet and determines the outgoing interface. After the packet is resolved and the header information is removed from the packet, the packet is forwarded to the next hop for processing.
If it is a Layer-2 interface, the FW first determines whether the packet needs to be forwarded over different VLANs. If the packet does not need to be forwarded over different VLANs, the FW queries the outgoing interface in the MAC address table based on the destination MAC address carried in the packet. If the packet needs to be forwarded over different VLANs, the FW obtains the VLAN ID and then obtains the subinterface or VLANIF interface based on the VLAN ID. The subinterface or VLAN-IF interface is a virtual Layer-3 interface. Then, the FW queries the routing table based on the destination address carried in the packet and determines the outgoing interface.
After the required information is obtained and the header information is removed from the packet, the packet is forwarded to the next hop for processing.
Table 1 describes the features used in this phase.
Feature |
Description |
|---|---|
Prevents flood of Ethernet frames over local area networks (LANs). |
|
Verifies packets based on the IP address and MAC address carried in packets, filters out invalid packets, and prevents IP spoofing and ARP attacks. |
|
Block attacks based on the DDoS attack defense types. |
|
Performs packet validity and security checks based on the single-packet attack defense types after obtaining the packet header information and filters out attack packets. |
Different Processing on the First and Subsequent Packets of a Flow According to the Session Table
This is the key processing phase on the FW, including session setup and update. The FW processes a packet depending on whether there are matched session entries:
No Matched Session Entries
If there are no matched session entries, the packet will be treated as the first packet of a flow.
The FW triggers the stateful inspection mechanism to verify whether the packet meets the conditions for establishing a session.
For a normal first packet, the FW performs a series query and processing before setting up a session for the packet.
- The FW queries the routing table based on the destination address carried in the packet and obtains the outgoing interface information. Then, the FW obtains the destination security zone information based on the outgoing interface information.
- After obtaining the source and destination address information, the FW performs an authentication for the user.
The FW identifies the users who need authentication but have not logged in based on authentication policies and pushes the authentication page to the users.
If the authentication is successful, the FW searches for security policies based on the user information and source and destination address information. If a match is found, the FW proceeds according to the matched security policy.
If a session is allowed, the FW labels the flow based on the content security profile associated with the security policy. If a session is not allowed, the FW discards the packet.
If an application is configured in the security policy, the content security module needs to identify the application of the flow. The FW can identify the application after obtaining multiple packets, so the FW establishes a session with empty application information based on the first packet. After the analysis is complete, the FW updates the session entries and adds the application type to the packet. After the application is identified, subsequent packets of this flow match the security policy, and the corresponding content security inspection items may also change.
- If the number of sessions does not reach the threshold, the FW establishes a session for this packet. The packet will be processed by the transfer module, and the subsequent packets of this flow will be processed in a way as described in the Matched Session Entries Exist section.
Matched Session Entries Exist
If matched session entries are found, a session will be established for the first packet after a series of route query and security checks are performed. Subsequent packets that match the session entries will skip over the process through which the first packet goes. This mechanism increases the processing efficiency of the FW.
The subsequent packets will trigger the update of the online user list to keep the users who have flows online. Then, the packets will go through flow-based attack defense, and be processed by the transfer module.
A secure first packet does not indicate that subsequent packets are also secure; therefore, the FW performs constant security checks for a flow. During this process, session entries will be updated if application information is identified, the user goes offline or online, security risks are detected in content security checks, or system configuration is modified. Once the session entries are updated, the FW will recheck the flow and take related processing. However, only the features that determine the packet processing methods are involved in the recheck process. The recheck process is still simpler than the processing of the first packet. In addition, updates of session entries do not frequently occur. This mechanism ensures constant protection of flows while avoiding serious impact on processing efficiency.
Table 2 describes the features used in this phase.
Feature |
Description |
|---|---|
Features Involved in First Packet Processing |
|
Defines that only the first TCP or ICMP packet triggers session establishment. |
|
Rapidly filters packets based on the source or destination IP address and user information carried in the packets. |
|
Serves as an important entry for server mapping, server load balancing, and multi-channel protocol data forwarding. If the first packet matches a server map entry, the FW forwards the packet or translates the address of the packet based on the server map entry. Server map entries are classified in to static and dynamic ones.
|
|
Records online user information, such as the mapping between users and IP addresses, the time when a session is established, and online duration. If the source IP address of the packet matches the online user table, the device directly extracts the user information without authenticating the user. |
|
|
|
Determines whether to perform authentication for a flow and obtain the user information based on the IP address and security zone information carried in a packet. Redirects the user's HTTP request and pushes the authentication page to the user who needs authentication, asking the user to enter the user name and password. |
|
Allows flows to be filtered based on the security policies specified. |
|
Content security inspection can be performed only after the encrypted traffic matching the SSL-encrypted traffic detection policy is decrypted. |
|
Looks up the source NAT policy, and records the address translation information in the session table. |
|
Controls the number of concurrent sessions supported by the bandwidth policy. |
|
Features Involved in Subsequent Packet Processing |
|
Detects attacks that can be identified by analyzing multiple packets of a flow. For example, limits the rate of UDP packets based on session in UDP FLOOD. |
|
Security Inspection on the Packets Before Sending Them
In this phase, the FW provides constant security protection for flows and ensures that packets are forwarded to the destination.
The FW checks the bandwidth usage and determines whether to forward or discard the packet based on bandwidth policies.
The FW performs content security filtering based on the content security profile associated with the security policies. For details about content security service processing, see Content Security Service Process.
The FW changes the source or destination address of the packet according to the address translation information in the session table.
The FW processes the packet according to the VPN configuration:
- If the received packet is a VPN packet destined for the FW, the FW decapsulates it. Then, the forwarding process is implemented again on the decapsulated packet.
- If the packet is to enter a VPN tunnel (the FW is the start point of the tunnel), the FW encapsulates it.
The FW determines the outgoing interface based on the results obtained from the MAC address table or routing table. The FW adjusts the traffic rate based on the bandwidth threshold specified for the interface.
The FW sends the packet to the interface.
Table 3 describes the features used in this phase.
Feature |
Description |
|---|---|
Prevents network congestion. |
|
Checks packets for security risks and performs filtering in real time. |
|
Packet address translation |
The FW changes the source or destination address of the packet according to the address translation information in the session table. Note that the packet address is not translated when the FW looks up the server map and source NAT policy but the FW has obtained the post-NAT address and the subsequent modules already can use the post-NAT address. |
Implements secure connection between private networks over the Internet. The FW supports various VPN technologies, such as L2TP and IPSec, to meet different requirements. |
|
Enables packets to be discarded when the bandwidth usage over the outgoing interface exceeds the specified threshold. |