Overview of Stateful Inspection
This section describes basic concepts about stateful inspection.
Using stateful inspection, the FW checks the validity of the link status of packets and discards the packets with invalid link status. Stateful inspection takes effect on both common packets and inner packets (decapsulated VPN packets).
When the FW is the only egress of a network, all packets are forwarded through the FW. In this case, both incoming and outgoing packets pass through the FW. You can enable stateful inspection on the FW to secure services.
If either incoming or outgoing packets do not pass through the FW, the FW may not receive the first packet, as shown in Figure 1.
In this case, you must disable stateful inspection to ensure normal services. The FW can also establish sessions based on subsequent packets.
The following table describes the processing result of the first TCP and ICMP packets when the status check function is enabled or disabled. The prerequisite for session establishment is that the packets pass the checks of security mechanisms on the device, including security policies.
Protocol |
First Packet Type |
Stateful Inspection Enabled |
Stateful Inspection Disabled |
|---|---|---|---|
TCP |
SYN packet |
The FW creates sessions and forwards packets. |
The FW creates sessions and forwards packets. |
SYN+ACK and ACK packets |
The FW does not create sessions and discards packets. |
The FW creates sessions and forwards packets. |
|
ICMP |
Echo Request packet (ping packet) |
The FW creates sessions and forwards packets. |
The FW creates sessions and forwards packets. |
Echo Reply packet (ping packet) |
The FW does not create sessions and discards packets. |
The FW creates sessions and forwards packets. |
|
Destination Unreachable, Source Quench, and Time Exceeded packets |
The FW does not create sessions and forwards packets. |
The FW does not create sessions and forwards packets. |
|
Other ICMP packets |
The FW creates sessions and forwards packets, but does not support NAT. |
The FW creates sessions and forwards packets, but does not support NAT. |
For ICMP packets, the FW supports stateful inspection only on Echo Request packets and Echo Reply packets.