Stateful Firewall – Traffic Flow and Default Inspection


Stateful firewalls examine Layer 4 headers and above enabling support for Application-aware inspections. They keep track of every connection passing through their interfaces by analyzing packet headers and additional payload information. Payloads offer information about transactions, which can protect against some of the most advanced network attacks. For example, deep packet inspection configures the firewall to deny specific Hypertext Transfer Protocol ( HTTP ) content types or specific File Transfer Protocol ( FTP ) commands, which may be used to penetrate networks.


Stateful Inspection

Stateful Inspection


Stateful firewalls are in contrast to packet filters that match individual packets based on their source / destination network addresses and transport layer port numbers. Packet filters have no state or check the validity of transport layer sessions such as sequence numbers, Transmission Control Protocol ( TCP ) control flags, TCP acknowledgment or fragmented packets. The key advantage of packet filters is that they are fast and processed in hardware. Reflexive access lists are closer to a stateful tool than packet filters. Whenever TCP or User Datagram Protocol ( UDP ) session permit, matching return traffic is automatically added.

Th Disadvantage of reflexive access lists is they cannot detect / drop-malicious fragments or overlapping TCP segments. Transport layer session inspection goes further than reflexive access lists and addresses fragment reassemble and transport-layer validation. Application level gateways ( ALG ) adds additional awareness and can deal with applications such as FTP or Session Initiation Protocol ( SIP ) that exchange IP addresses and port numbers in the application payload. These protocols operate by opening additional data sessions and multiple ports.

In a perfect world where most traffic exits the data center, servers are managed with regular patching, servers listen on standard TCP or UDP ports, designers could get away with simple packet filters. But in the real world, each server is a distinct client, has multiple traffic flows to and from the data center and to back-end systems, unpredictable source TCP or UDP port number makes the use of packet filters impractical. For unpredictable scenarios and poorly managed servers, implement additional control with deep packet inspection. Stateful Firewalls keep state connections and allow traffic to return dynamically. Return traffic is permitted if already state for that flow is in the connection table. The traffic needs to be part of a return flow if not its dropped.


Security Levels

Regardless of the type of firewall mode, or single or multiple context, Adaptive Security Appliance ( ASA ) permits traffic based on a concept of security levels configured per interface. The configurable range is from level 0 to 100. Every interface on ASA must have a security level. The security level allows configured interface trust-ability and can range from 0, which is the lowest, to 100 which is the highest. Offering ways to control traffic flow based on security level numbering. The default security level is “0”, configuring the name on the interface “inside” without explicitly entering a security level; then the ASA automatically sets the security level to 100 ( highest ).


ASA will pass traffic if both nameif and security-level are defined.


Traffic Flow Between Security Levels

By default, traffic can flow from highest to lowest without any explicit configuration. Also, interfaces on the same security level cannot directly communicate with each other, and packets cannot enter and exit the same interface.





Override the defaults, permit traffic by allowing high to low; explicitly configure ACL’s on the interface or on newer version use-global ACL. Global ACL affects all interfaces in all directions.


Inter-Interface communication ( Routed Mode only ); enter the command same-security-traffic permit inter-interface or permit traffic explicitly with an ACL. This will give design granularity and allows configuration of more-communicating interfaces. Intra-Interface communication; configured for traffic hair-pining ( leaves on the outside interface and goes back out the outside interface ). Useful for Hub and Spoke VPN deployments; traffic enters an interface and routes back out the same interface – Spoke to Spoke communication. To enable Intra-Interface communication, enter the command same-security-traffic permit intra-interface


Careful not to create asymmetric routing that can cause return traffic to traverse the incorrect ASA. ASA traffic must be symmetric.


Default Inspection

ASA implements what is known as Modular Policy Framework ( MPF ). MPF controls WHAT traffic is inspected, which could be Layer 3 or Layer 4 inspection of TCP, UDP, ICMP or Application aware inspection of HTTP, DNS. It also controls HOW traffic is inspected based on connection limits and QoS parameters.

ASA inspects TCP / UDP from inside (higher-security level ) to outside ( lower-security level ). This cannot be disabled. No traffic inspection from outside to inside unless it is from an original flow. An entry is created in the state table so when flows return it checks the state table before it goes to implicit deny ACL. The state is created while traffic is leaving so when the return flows comes back it checks the specific connection and application data. It does more than Layer 3 or 4 inspections and depends on the application being used. It does not by default inspect ICMP traffic. Enable ICMP inspection with global inspection policy or explicitly allowing with an interface or Global ACL’s. ASA global policy affects all interface in all directions. The state table is checked before any ACL.

A good troubleshooting tool known as Packet Tracer goes through all inspections and displays the order that the ASA is processing.




About Matt Conran

Matt Conran has created 179 entries.

Leave a Reply