how do transparent firewalls inspect IP traffic?

west33637 — Tue, 12 Mar 2019 06:11:44 GMT

how do transparent firewalls inspect IP traffic? Since these firewalls are a 'bump in the wire'. This means hosts sending packets destined for external networks will encapsulate it as a frame with the source mac of the host and the destination mac of the gateway (which would be the router).

Lets assume the host has already received an ARP reply with the MAC-Address of the gateway, and the transparent firewall has populated its CAM table and knows the destination MAC interface. -

before the packet destined for a remote network comes in on the inside interface of the transparent firewall, it will be encapsulated in a frame with the destination MAC of the default gateway. In my understanding of regular forwarding, that frame will only get decapsulated when it gets to the gateway interface with the destination MAC. The gateway will then forward along the remote network destination IP traffic. My question is how does the transparent ASA inspect IP traffic? Does it decapsulate the frame on behalf of the gateway? Then inspect the IP source/dest? I appreciate any clear explanation. Thanks,

Hello, By encapsulation, you

Maykol Rojas — Mon, 29 Jun 2015 17:44:32 GMT

Hello,

By encapsulation, you mean an 802.1q?

When a packet comes in the firewall does all the checks that it does as if it was a layer 3, it check the IPs and then revisit the MPF policy to check if something applies.

The layer 2 headers will remain intact, the firewall takes actions on what it sees on the packet, there is no need to remove headers to see what it is inside. Take for example wireshark, if you capture traffic that is not encrypted, even if it is encapsulated, you can see the information on the packet, the firewall acts the same way, see what it is in and acts on it.

Mike.

topic Hello, By encapsulation, you in Network Security

how do transparent firewalls inspect IP traffic?

Hello, By encapsulation, you