A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. SASE Orchestrator supports configuration of Stateless, Stateful, and Enhanced Firewall Services (EFS) rules for Profiles and Edges.

Stateful Firewall

A Stateful firewall monitors and tracks the operating state and characteristics of every network connection coming through the firewall and uses this information to determine which network packets to allow through the firewall. The Stateful firewalls build a state table and use this table to allow only returning traffic from connections currently listed in the state table. After a connection is removed from the state table, no traffic from the external device of this connection is permitted.

The Stateful firewall feature provides the following benefits:
  • Prevent attacks such as denial of service (DoS) and spoofing
  • More robust logging
  • Improved network security

The main differences between a Stateful firewall and a Stateless firewall are:

  • Matching is directional. For example, you can allow hosts on VLAN 1 to initiate a TCP session with hosts on VLAN 2 but deny the reverse. Stateless firewalls translate into simple ACLs (Access lists) which do not allow for this kind of granular control.
  • A stateful firewall is session aware. Using TCP's 3-way handshake as an example, a stateful firewall will not allow a SYN-ACK or an ACK to initiate a new session. It must start with a SYN, and all other packets in the TCP session must also follow the protocol correctly or the firewall will drop them. A stateless firewall has no concept of a session and instead filters packets based purely on a packet by packet, individual basis.
  • A stateful firewall enforces symmetric routing. For instance, it is very common for asymmetric routing to happen in a VMware network where traffic enters the network through one Hub but exits through another. Leveraging third-party routing, the packet is still able to reach its destination. With a stateful firewall, such traffic would be dropped.
  • Stateful firewall rules get rechecked against existing flows after a configuration change. So, if an existing flow has already been accepted, and you configure the stateful firewall to now drop those packets, the firewall will recheck the flow against the new rule set and then drop it. For those scenarios where an "allow" is changed to "drop" or "reject", the pre-existing flows will time out and a firewall log will be generated for the session close.
The requirements to use the Stateful Firewall are:
  • The VMware SD-WAN Edge must be using Release 3.4.0 or later.
  • By default, the Stateful Firewall feature is a customer capability activated for new customers on an SASE Orchestrator using 3.4.0 or later releases. Customers created on a 3.x Orchestrator will need assistance from a Partner or VMware SD-WAN Support to activate this feature.
  • The SASE Orchestrator allows the enterprise user to activate or deactivate the Stateful Firewall feature at the Profile and Edge level from the respective Firewall page. To deactivate the Stateful Firewall feature for an enterprise, contact an Operator with Super User permission.
    Note: Asymmetric routing is not supported in Stateful Firewall activated Edges.

Enhanced Firewall Services

Enhanced Firewall Services (EFS) provide additional EFS security functionalities on VMware SD-WAN Edges. The NSX Security powered EFS functionality supports Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) services on VMware SD-WAN Edges. The Edge Enhanced Firewall Services (EFS) protect Edge traffic from intrusions across Branch to Branch, Branch to Hub, or Branch to Internet traffic patterns.

Currently, SD-WAN Edge Firewall provides stateful inspection along with application identification without additional EFS security features. While the stateful Firewall SD-WAN Edge provides security, it is not adequate and creates a gap in providing EFS security integrated natively with VMware SD-WAN. Edge EFS address these security gaps and offers enhanced threat protection natively on the SD-WAN Edge in conjunction with VMware SD-WAN.

Customer can configure and manage the Stateful Firewall and EFS using the Firewall functionality in VMware SASE Orchestrator. To configure firewall settings at the Profile and Edge level, see:

Firewall Logs

With the Stateful Firewall and Enhanced Firewall Services (EFS) features activated, more information can be reported in the firewall logs. The firewall logs will contain the following fields: Time, Segment, Edge, Action, Interface, Protocol, Source IP, Source Port, Destination IP, Destination Port, Extension Headers, Rule, Reason, Bytes Received, Bytes Sent, Duration, Application, Destination Domain, Destination Name, Session ID, Signature, IPS Alert, IDS Alert, Signature ID, Category, Attack Source, Attack Target, and Severity.
Note: Not all fields will be populated for all firewall logs. For example, Reason, Bytes Received/Sent and Duration are fields included in logs when sessions are closed. Signature, IPS Alert, IDS Alert, Signature ID, Category, Attack Source, Attach Target, and Severity are populated only for EFS alerts, not for firewall logs.
Firewall logs are generated:
  • When a flow is created (on the condition that the flow is accepted)
  • When the flow is closed
  • When a new flow is denied
  • When an existing flow is updated (due to a firewall configuration change)
You can view the firewall logs by using the following firewall features:
  • Firewall Logging - By default, Edges cannot send their Firewalls logs to Orchestrator.
    Note: For an Edge to send the Firewall logs to Orchestrator, ensure that the “ Enable Firewall Logging to Orchestrator” customer capability is activated at the Customer level under “Global Settings” UI page. Customers must contact your Operator if you would want the Firewall Logging feature to be activated.

    You can view the Edge Firewall logs in Orchestrator from the Monitor > Firewall Logs page. For more information, see Monitor Firewall Logs.

  • Syslog Forwarding - Allows you to view the logs by sending the logs originating from enterprise SD-WAN Edge to one or more configured remote servers. By default, the Syslog Forwarding feature is deactivated for an enterprise. To forward the logs to remote Syslog collectors, you must:
    1. Activate Syslog Forwarding feature under Configure > Edges/Profile > Firewall tab.
    2. Configure a Syslog collector under Configure > Edges/Profile > Device > Syslog Settings. For steps on how to configure Syslog collector details per segment in the SASE Orchestrator, see Configure Syslog Settings for Profiles.
Note: For Edge versions 5.2.0 and above, Firewall Logging is not dependent on Syslog Forwarding configuration.