Stateful Inspection Overview
Stateful Inspection Overview
All traffic that goes through the firewall is inspected using the Adaptive Security Algorithm and is either
allowed through or dropped. A simple packet filter can check for the correct source address, destination
address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks
every packet against the filter, which can be a slow process.
Note
The following feature allows you to customize the packet flow:
on page
A stateful firewall like the FWSM, however, takes into consideration the state of a packet:
•
Note
Note
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
1-8
21-10.
Is this a new connection?
If it is a new connection, the firewall has to check the packet against access lists and perform other
tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the
session goes through the "session management path," and depending on the type of traffic, it might
also pass through the "control plane path."
The first packet for a session cannot be comprised of fragments for a packet that is larger than
8500 Bytes. The session will be established, but only the first 8500 Bytes will be sent out.
Subsequent packets for this session are not affected by this limitation.
The session management path is responsible for the following tasks:
Performing the access list checks
–
Performing route lookups
–
Allocating NAT translations (xlates)
–
Establishing sessions in the "accelerated path"
–
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels: a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
The FWSM performs session management path and accelerated path processing on three
specialized networking processors. The control plane path processing is performed in a
general-purpose processor that also handles traffic directed to the FWSM and configuration and
management tasks.
Is this an established connection?
If the connection is already established, the firewall does not need to recheck packets; most
matching packets can go through the accelerated path in both directions. The accelerated path is
responsible for the following tasks:
IP checksum verification
–
Session lookup
–
TCP sequence number check
–
NAT translations based on existing sessions
–
Chapter 1
Introduction to the Firewall Services Module
"Configuring TCP State Bypass" section
OL-20748-01