What happens first: Firewall or Threat Prevention

Currently reading
What happens first: Firewall or Threat Prevention


NAS Support
DS1520+, DS218+, DS215j
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
There's two approaches to applying access policies when there more than one engine: in parallel and in series.

I'm forgetting which way it used to be on certain firewalls but it used to be important to know at which point onward routing, NAT, and firewall rules were applied and if any changes where applied at previous steps (e.g. has NAT happened to the packet yet). With multi-core CPUs (and multi-CPU servers) it possible to run the tests concurrently and determine whether to allow the traffic or not based on the returned status of each test.

I was just wondering whether firewall rules are applied before threat prevention. It would seem probable that they are as TP is likely to be more processor intensive so best to remove known-unwanted traffic first. But I think I see some traffic in TP alert/deny logs that are from countries I've totally blocked in the FW policy (at the very top). It's hard to test on an active setup.

Anyone noticed similar or not?

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!