Accepted Solutions
Hi Mohammad,
FWSM has a completely different architecture, based upon which packet flow can be understood. Here is the explanation below:
he FWSM architecture is heirachical using four different components:
Network Processor 1 (NP1)
Network Processor 2 (NP2)
Network Processor 3 (NP3)
Control Point (CP, PC, CPU)
NP1 and NP2 are the front line processors that are responsible for reading and analyzing all traffic initially. NP1 and NP2 are responsible for receiving packets from the switch across the backplane connection. NP1 and NP2 each have three 1 Gigabit connections which connect the FWSM to the backplane of the switch. Adding these all together gives you the 6 Gigabit link as identified in the FWSM datasheets.
NP1 and NP2 are responsible for the following functions:
- Perform per packet session lookup
- Maintain connection table
- Perform NAT/PAT
- TCP checks
- Handle reassembled IP packets (NP2 only)
- TCP sequence number shift for "randomization"
- Syn Cookies
NP3 sits above NP1 and NP2. NP3 is also known as the session manager and performs the following functions:
- Processes first packet in a flow
- ACL checks
- Translation creation
- Embryonic/establish connection counts
- TCP/UDP checksums
- Per-flow offset calculation for TCP sequence number "randomization"
- TCP intercept
- IP reassembly
NP3 talks to NP1 and NP2 as well as the CP. All packets that come to NP3 must first be processed by NP1 and NP2.
The Control Point sits above NP3, and similarly only sees traffic that is forwarded via NP3. The Control Point is primarily responsible for performing Layer 7 fixups. For example, traffic that requires embedded NAT or command inspection. The CP is also responsible for handling traffic souced from or destined to the FWSM itself:
- Syslogs
- AAA (Radius/TACACS+)
- URL filtering (Websense/N2H2)
- Management traffic (telnet/SSH/HTTPS/SNMP)
- Failover communictions
- Routing protocols
- Most Layer 7 fixups/inspections
Let me know if it answers your concern.
Regards
Gurpreet
Hi Mohammad,
FWSM has a completely different architecture, based upon which packet flow can be understood. Here is the explanation below:
he FWSM architecture is heirachical using four different components:
Network Processor 1 (NP1)
Network Processor 2 (NP2)
Network Processor 3 (NP3)
Control Point (CP, PC, CPU)
NP1 and NP2 are the front line processors that are responsible for reading and analyzing all traffic initially. NP1 and NP2 are responsible for receiving packets from the switch across the backplane connection. NP1 and NP2 each have three 1 Gigabit connections which connect the FWSM to the backplane of the switch. Adding these all together gives you the 6 Gigabit link as identified in the FWSM datasheets.
NP1 and NP2 are responsible for the following functions:
- Perform per packet session lookup
- Maintain connection table
- Perform NAT/PAT
- TCP checks
- Handle reassembled IP packets (NP2 only)
- TCP sequence number shift for "randomization"
- Syn Cookies
NP3 sits above NP1 and NP2. NP3 is also known as the session manager and performs the following functions:
- Processes first packet in a flow
- ACL checks
- Translation creation
- Embryonic/establish connection counts
- TCP/UDP checksums
- Per-flow offset calculation for TCP sequence number "randomization"
- TCP intercept
- IP reassembly
NP3 talks to NP1 and NP2 as well as the CP. All packets that come to NP3 must first be processed by NP1 and NP2.
The Control Point sits above NP3, and similarly only sees traffic that is forwarded via NP3. The Control Point is primarily responsible for performing Layer 7 fixups. For example, traffic that requires embedded NAT or command inspection. The CP is also responsible for handling traffic souced from or destined to the FWSM itself:
- Syslogs
- AAA (Radius/TACACS+)
- URL filtering (Websense/N2H2)
- Management traffic (telnet/SSH/HTTPS/SNMP)
- Failover communictions
- Routing protocols
- Most Layer 7 fixups/inspections
Let me know if it answers your concern.
Regards
Gurpreet
