========================fortigate firewall packet flow.=================
Fortigate firewall architecture
CP8 & NP6
Hardware acceleration
dirty flag, may dirty flags
IPS
Life of a session
I know its always “Life of a packet” when any vendor explain the packet flow of firewall, but I don’t agree with this sentence as this can create miss understanding which I will explain in this article. as per me the topic name should be Life of a session.
Why ? To explain this lets take a simple example of HTTPs traffic only.
Because when you type www.tekguru4u.com in the browser then its not only syn packet that goes from your PC and get inspected via Firewall but lot of packets get exchanged before you see the web-page. so how it can be "Life of a packet"? Either "Life of packets " but that doesn't make sense because packets can also be from another website request.
1. DNS Query
2. Complete 3-way handshake.
3. Complete SSL Handshake and then
4. HTTP requests. where lot of HTTP packets will be exchanged
5. and if in the same website you change the application then packet will be checked for "Change of application " Like in tunneled application.
You have seen how many packets get exchanged from one session. And every packet has different packet flow.
1. 1st packet of session is DNS packet and its treated differently than other packets.
2. After that 3 way handshake starts.
3. First packet of 3 way handshake does not get offloaded and it has to travel from all the inspection modes.
4. Rest packets of 3 way handshake will get offloaded.
5. Another great point to know is that complete three way handshake does not need to match with the Layer-7 inspection (UTM) because it works upto L4. but fortigate in its logs you can see that packet is passed through Layer-7 inspection. which does not make sense. But nothing is matched here.
6. for inspecting a packet at Layer-7 at-least small amount of data is required after 3-way handshake. http get request