Section 6 : Content Inspection
The firewall performs content Inspection, if applicable, where protocol decoders’ decode the flow and the firewall parses and identifies known tunneling applications (those that routinely carry other applications like web-browsing).
If the identified application changes due to this, the firewall consults the security policies once again to determine if the session should be permitted to continue.
If the application does not change, the firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.
The firewall forwards the packet to the forwarding stage if one of the conditions hold true:
- If inspection results in a ‘detection’ and security profile action is set to allow, or
- Content inspection returns no ‘detection’.
The firewall then re-encrypts the packet before entering the forwarding stage, if applicable (SSL forward proxy decryption and SSH decryption).
Section 7 : Forwarding/Egress
The firewall identifies a forwarding domain for the packet, based on the forwarding setup (discussed earlier).
The firewall performs QoS shaping as applicable in the egress process. Also, based on the MTU of the egress interface and the fragment bit settings on the packet, the firewall carries out fragmentation if needed.
If the egress interface is a tunnel interface, then IPSec/SSL-VPN tunnel encryption is performed and packet forwarding is reevaluated.
Finally the packet is transmitted out of the physical egress interface.