A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. SD-WAN Orchestrator supports configuration of stateless and stateful firewalls for Profiles and Edges.
A Stateful firewall monitors and tracks the operating state and characteristics of every network connection coming through the firewall and uses this information to determine which network packets to allow through the firewall. The Stateful firewalls build a state table and use this table to allow only returning traffic from connections currently listed in the state table. After a connection is removed from the state table, no traffic from the external device of this connection is permitted.
- Prevent attacks such as denial of service (DoS) and spoofing
- More robust logging
- Improved network security
The main differences between a Stateful firewall and a Stateless firewall are:
- Matching is directional. For example, you can allow hosts on VLAN 1 to initiate a TCP session with hosts on VLAN 2 but deny the reverse. Stateless firewalls translate into simple ACLs (Access lists) which do not allow for this kind of granular control.
- A stateful firewall is session aware. Using TCP's 3-way handshake as an example, a stateful firewall will not allow a SYN-ACK or an ACK to initiate a new session. It must start with a SYN, and all other packets in the TCP session must also follow the protocol correctly or the firewall will drop them. A stateless firewall has no concept of a session and instead filters packets based purely on a packet by packet, individual basis.
- A stateful firewall enforces symmetric routing. For instance, it is very common for asymmetric routing to happen in a VMware network where traffic enters the network through one Hub but exits through another. Leveraging third-party routing, the packet is still able to reach its destination. With a stateful firewall, such traffic would be dropped.
- Stateful firewall rules get rechecked against existing flows after a configuration change. So, if an existing flow has already been accepted, and you configure the stateful firewall to now drop those packets, the firewall will recheck the flow against the new rule set and then drop it. For those scenarios where an "allow" is changed to "drop" or "reject", the pre-existing flows will time out and a firewall log will be generated for the session close.
- The VMware SD-WAN Edge must be using Release 3.4.0 or later.
- By default, the Stateful Firewall feature is activated for new customers on an SD-WAN Orchestrator using 3.4.0 or later releases. Customers created on a 3.x Orchestrator will need assistance from a Partner or VMware SD-WAN Support to activate this feature.
- The SD-WAN Orchestrator allows the enterprise user to activate or deactivate the Stateful Firewall feature at the Profile and Edge level from the respective Firewall page. To deactivate the Stateful Firewall feature for an enterprise, contact an Operator with Super User permission.
Note: Asymmetric routing is not supported in Stateful Firewall activated Edges.
Stateful Firewall Logs
- When a flow is created (on the condition that the flow is accepted)
- When the flow is closed
- When a new flow is denied
- When an existing flow is updated (due to a firewall configuration change)
- Activate Syslog Forwarding feature under tab.
- Configure a Syslog collector under SD-WAN Orchestrator, see Configure Syslog Settings for Profiles with New Orchestrator UI. . For steps on how to configure Syslog collector details per segment in the