The firewall itself is implemented as a bunch of kernel modules that plug into LInux kernel (2.6.18 as of R77.30) . From OSI model standpoint it plugs itself between the Data Link Layer and the Network Layer. It means Check Point can inspect any packets bearing IP addresses in their headers. It also means that it does not check/verify/care for Layer 2 information. So it cannot inspect Ethernet headers for example.