How does a Firewall processess a packet?

A firewall is a system which helps us to make our system more secure by filtering the incoming and ongoing traffic based on the set of userdefined rules. In general, firewall blocks the unwanted traffic and allow the legitimate traffic to flow freely. 

Traffic can be  either incoming or outgoing for which the firewall has a distinct set of rules for either case. In general, a firewall processes a packet is as follows:

• Source address

• Source port

• Destination address

• Destination port

• Ingress interface

• Egress interface

• Protocol used

Firewall process a packet as below,

Source Address,source port,Destination Address,Destination Port,ingress interface,egress interface & Protocol used.

i would like to describe a scenario:

Inside network,outside network & DMZ network

When an inside user attempts to access a web server(DMZ) network,packet flow look like this.

Source address - IP

Source port - 22966

Destination address - IP

Destination port - 8080

Ingress interface - Inside

Egress interface - DMZ

Protocol used - TCP (Transmission Control Protocol)

Thanks

it does so by processing packet headers

like protocol, source address, destination address ,,,

then a firewall check established sessions to verify whether the connection is already established or new

if new it goes through the process of validation as per configured access policies

if the connection is already established the decision if left to the forwarding plane/table

Below is best answer -

Any packet is coming with below information-

• Source address

• Source port

• Destination address

• Destination port

• Ingress interface

• Egress interface

• Protocol used

After you determine the details of the packet flow as described here, it is easy to isolate the issue to this specific connection entry.

Cisco ASA Packet Process Algorithm

Here is a diagram of how the Cisco ASA processes the packet that it receives:

Here are the individual steps in detail:

1. The packet is reached at the ingress interface.
2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.
3. Cisco ASA first looks at its internal connection table details in order to verify if this is a current connection. If the packet flow matches a current connection, then the Access Control List (ACL) check is bypassed and the packet is moved forward.

If packet flow does not match a current connection, then the TCP state is verified. If it is a SYN packet or UDP (User Datagram Protocol) packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged.

1. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count is incremented by one when the packet matches the ACL entry.
2. The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow and the packet moves forward. Otherwise, the packet is dropped and the information is logged.
3. The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionality. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged.

Additional security checks will be implemented if a Content Security (CSC) module is involved.

1. The IP header information is translated as per the Network Address Translation/ Port Address Translation (NAT/PAT) rule and checksums are updated accordingly. The packet is forwarded to Advanced Inspection and Prevention Security Services Module (AIP-SSM)  for IPS related security checks when the AIP module is involved.
2. The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on the global route lookup.
3. On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that takes the priority.
4. Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. The Layer 2 rewrite of the MAC header happens at this stage.
5. The packet is transmitted on the wire, and interface counters increment on the egress interface.

If i understand the question correctly, the question is how a firewall(could be any vendor) processes the packet, so i would say it would depend on the firewall type(packet filtering or nextGen), its architecture(order of processing packets) and if any additional modules like AV Systems etc are added to it.

Based on the order of processing, a packet would be passed on the next check and if a deny is encountered, it drops the packet.

 There are two kinds of firewall : Hard firewal & Soft firewal

 if it is hard firewall it use access list to direct the packets & if it is soft firewal it use the filtre option to direct the packets

A firewall is a filtering network gateway and is only effective on packets that must go through it. Therefore, it can only be effective when going through the firewall is the only route for these packets

It depends on the firewall type for example, there is Layer 4 firewall that do packet  .inspection From the Transport Layer going down to the Physical layer

Other types of firewalls do packet inspection from Layer 7 till layer 1 , these are called Application layer firewall and can be sophisticated hardware devices like Cisco ASA for example.

All the answers are perfect.. to answer that Q, we should know the following:

1. what type of the farewall that we are using? let say "packet inspection firewal" or "Applications Firewall as F5..."

2. Firewall locations.

3. Is the firewall cabeble to catch malware or introusions segnitures.

4. One of the answers mention Fireeye is tha firewall ? on some orgnization they add other layer as fireeye or cisco extra product to prevent from some APT attacks..

5. Brand name for firewalls.

All diffrent scenarios and solutions for firewalls...

 .By filtering Incoming and Outgoing Traffic, Depending on the user's rule

The firewall simply acts the door of incoming and outgoing packets, that filter all the incoming and outgoing information and divided into blocks of packets, Every Firewall has its own configuration that certain rules can be applied. If packets contain some irregularities the firewall react and inspect what are the irregularities. Thereafter allow or drop packets during the process of transmission.