A few questions..
Please could anyone explain the reasons why services/alg is the final step (except for installing the session in slow-path) in both the first and fast path processing orders?
Why the flow chart shows after the session is created in slow path why does it go next to the fast path screens option, rather than filtering and shaping before egress?
Why is TCP only present in the fast path, what does this involve?
Lastly, if these devices are stateful, when it's written that the filtering happening in the data plane/PFE is stateless, could anyone explain more about this?
I assume you are talking about this flow diagram.
ALG processing are additional parameters, flows or streams that are associated with the primary session. As a result you need to do all the primary session processing before dealing with the custom setups for additional traffic that is allowed by the ALG.
screens are applied after session setup and are needed in both the fast and slow path to provide the desired protection.
TCP is in the same postion fast and first path after the screens. This is the actual tcp packet changes that take place on the device.
Filters only operate on a packet by packet basis in the direction they are applied input or output. They are not aware and do not see the return traffic only the direction they are applied on.
Greater detail on all the steps can be found in this longer pdf documentation.