A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. SD-WAN Orchestrator supports configuration of stateless and stateful firewalls for Profiles and Edges.

A Stateful firewall monitors and tracks the operating state and characteristics of every network connection coming through the firewall and uses this information to determine which network packets to allow through the firewall. The Stateful firewalls build a state table and use this table to allow only returning traffic from connections currently listed in the state table. After a connection is removed from the state table, no traffic from the external device of this connection is permitted.

The Stateful firewall feature provides the following benefits:
  • Prevent attacks such as denial of service (DoS) and spoofing
  • More robust logging
  • Improved network security

The main differences between a Stateful firewall and a Stateless firewall are:

  • Matching is directional. For example, you can allow hosts on VLAN 1 to initiate a TCP session with hosts on VLAN 2 but deny the reverse. Stateless firewalls translate into simple ACLs (Access lists) which do not allow for this kind of granular control.
  • A stateful firewall is session aware. Using TCP's 3-way handshake as an example, a stateful firewall will not allow a SYN-ACK or an ACK to initiate a new session. It must start with a SYN, and all other packets in the TCP session must also follow the protocol correctly or the firewall will drop them. A stateless firewall has no concept of a session and instead filters packets based purely on a packet by packet, individual basis.
  • A stateful firewall enforces symmetric routing. For instance, it is very common for asymmetric routing to happen in a VMware network where traffic enters the network through one Hub but exits through another. Leveraging third-party routing, the packet is still able to reach its destination. With a stateful firewall, such traffic would be dropped.
  • Stateful firewall rules get rechecked against existing flows after a configuration change. So, if an existing flow has already been accepted, and you configure the stateful firewall to now drop those packets, the firewall will recheck the flow against the new rule set and then drop it. For those scenarios where an "allow" is changed to "drop" or "reject", the pre-existing flows will time out and a firewall log will be generated for the session close.
The requirements to use the Stateful Firewall are:
  • The VMware SD-WAN Edge must be using Release 3.4.0 or later.
  • By default, the Stateful Firewall feature is activated for new customers on an SD-WAN Orchestrator using 3.4.0 or later releases. Customers created on a 3.x Orchestrator will need assistance from a Partner or VMware SD-WAN Support to activate this feature.
  • The SD-WAN Orchestrator allows the enterprise user to activate or deactivate the Stateful Firewall feature at the Profile and Edge level from the respective Firewall page. To deactivate the Stateful Firewall feature for an enterprise, contact an Operator with Super User permission.
    Note: Asymmetric routing is not supported in Stateful Firewall activated Edges.
To configure firewall settings at the Profile and Edge level, see:

Stateful Firewall Logs

With the Stateful Firewall activated, more information can be reported in the firewall logs. The firewall logs will contain the following fields: Time, Segment, Edge, Action, Interface, Protocol, Source IP, Source Port, Destination IP, Destination Port, Rule, Bytes Received/Sent, and Duration.
Note: Not all fields will be populated for all firewall logs. For example, Reason, Bytes Received/Sent and Duration are fields included in logs when sessions are closed.
Logs are generated:
  • When a flow is created (on the condition that the flow is accepted)
  • When the flow is closed
  • When a new flow is denied
  • When an existing flow is updated (due to a firewall configuration change)
You can view the firewall logs by sending the logs originating from enterprise SD-WAN Edge to one or more centralized remote Syslog collectors (Servers). By default, the Syslog Forwarding feature is deactivated for an enterprise. To forward the logs to remote Syslog collectors, you must:
  1. Activate Syslog Forwarding feature under Configure > Edge/Profile > Firewall tab.
  2. Configure a Syslog collector under Configure > Edges > Device > Syslog Settings. For steps on how to configure Syslog collector details per segment in the SD-WAN Orchestrator, see Configure Syslog Settings for Profiles with New Orchestrator UI.
Note: Firewall logging is not supported from both Edge and Orchestrator.