SunScreen Model

When a packet passes from system A to system B, the following takes place:

1. System A looks in its routing table for a route to system B and finds one through the firewall.

2. System A must send the packet to the firewall for routing to system B. It sends out an ARP (address resolution protocol) request and receives a reply from the firewall. System A now knows the MAC address of the firewall and sends the packet to the firewall.

3. The firewall takes the packet and compares its source IP address, destination IP address, and service against the rules. If the rules permit passing the packet, a state-table entry is created and the packet is passed to the routing interface nearest system B (routed).

4. The firewall sends out an ARP request to get the unique MAC (media access control) address of system B; the packet is sent to system B.

5. If this packet is part of a session that requires packets to flow back to system A from system B, they are passed because the state-table entry created allows this. In an HA configuration, all members of the HA cluster must have the same state-table entries. If they do not, sessions can be dropped if the active Screen fails and a passive Screen becomes the active Screen.