Checkpoint with asymetric routing

Checkpoint session table with asymetric routing

How Checkpoint handles new session in asymetric routing


Network


We have network with asymetric routing like presented on diagram below. Both firewalls are Checkpoint appliances.

Traffic


When host in 192.168.100.0 network try to communicate with 192.168.200.0:
  • Right Checkpoint will process all packets (SYN, SYN-ACK, ACK)
  • Left Checkpoint will see only packets from 192.168.200.0 to 192.168.100.0
  • First packet on left FW will be SYN-ACK
  • On left FW: SYN-ACK without SYN - this will be dropped


  • When host in 192.168.200.0 network try to communicate with 192.168.100.0:
  • Right Checkpoint will process all packets (SYN, SYN-ACK, ACK)
  • Left Checkpoint will see only packets from 192.168.200.0 to 192.168.100.0
  • First packet on left FW will be SYN
  • Left FW will not see SYN-ACK
  • On left FW: ACK without SYN-ACK (with SYN) this should be dropped
  • Checkpoint to establish session needs only SYN packet (or SYN and ACK)


  •