A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. SASE Orchestrator supports configuration of Stateless, Stateful, and Enhanced Firewall Services (EFS) rules for Profiles and Edges.

Stateful Firewall

A Stateful firewall monitors and tracks the operating state and characteristics of every network connection coming through the firewall and uses this information to determine which network packets to allow through the firewall. The Stateful firewalls build a state table and use this table to allow only returning traffic from connections currently listed in the state table. After a connection is removed from the state table, no traffic from the external device of this connection is permitted.

The Stateful firewall feature provides the following benefits:
  • Prevent attacks such as denial of service (DoS) and spoofing
  • More robust logging
  • Improved network security

The main differences between a Stateful firewall and a Stateless firewall are:

  • Matching is directional. For example, you can allow hosts on VLAN 1 to initiate a TCP session with hosts on VLAN 2 but deny the reverse. Stateless firewalls translate into simple ACLs (Access lists) which do not allow for this kind of granular control.
  • A stateful firewall is session aware. Using TCP's 3-way handshake as an example, a stateful firewall will not allow a SYN-ACK or an ACK to initiate a new session. It must start with a SYN, and all other packets in the TCP session must also follow the protocol correctly or the firewall will drop them. A stateless firewall has no concept of a session and instead filters packets based purely on a packet-by-packet, individual basis.
  • A stateful firewall enforces symmetric routing. For instance, it is quite common for asymmetric routing to happen in a VMware network where traffic enters the network through one Hub but exits through another. Leveraging third-party routing, the packet is still able to reach its destination. With a stateful firewall, such traffic would be dropped.
  • Stateful firewall rules get rechecked against existing flows after a configuration change. So, if an existing flow has already been accepted, and you configure the stateful firewall to now drop those packets, the firewall will recheck the flow against the new rule set and then drop it. For those scenarios where an "allow" is changed to "drop" or "reject", the pre-existing flows will time out and a firewall log will be generated for the session close.
The requirements to use the Stateful Firewall are:
  • The VMware SD-WAN Edge must be using Release 3.4.0 or later.
  • By default, the Stateful Firewall feature is a customer capability activated for new customers on an SASE Orchestrator using 3.4.0 or later releases. Customers created on a 3.x Orchestrator will need assistance from a Partner or VMware SD-WAN Support to activate this feature.
  • The SASE Orchestrator allows the enterprise user to activate or deactivate the Stateful Firewall feature at the Profile and Edge level from the respective Firewall page. To deactivate the Stateful Firewall feature for an enterprise, contact an Operator with Super User permission.
    Note: Asymmetric routing is not supported in Stateful Firewall activated Edges.

Enhanced Firewall Services

Enhanced Firewall Services (EFS) provide additional EFS security functionalities on VMware SD-WAN Edges. The NSX Security-powered EFS functionality supports URL Category filtering, URL Reputation filtering, Malicious IP filtering, Intrusion Detection System (IDS), and Intrusion Prevention System (IPS) services on VMware SD-WAN Edges. The Enhanced Firewall Services (EFS) protect Edge traffic from intrusions across Branch-to-Branch, Branch-to-Hub, or Branch-to-Internet traffic patterns.

Currently, the SD-WAN Edge Firewall provides stateful inspection along with application identification without additional EFS. While the stateful Firewall SD-WAN Edge provides security, it is not adequate and creates a gap in providing EFS security integrated natively with VMware SD-WAN. Edge EFS addresses these security gaps and offers enhanced threat protection natively on the SD-WAN Edge in conjunction with VMware SD-WAN.

Customers can configure and manage the Stateful Firewall and EFS using the Firewall functionality in VMware SASE Orchestrator. Customers can configure Firewall Rules to block web traffic based on IDS/IPS Signature matching, category, and/or reputation of the URL or IP. To configure firewall settings at the Profile and Edge level, see:

Firewall Logs

Firewall logs are generated:
  • When a flow is created (on the condition that the flow is accepted)
  • When the flow is closed
  • When a new flow is denied
  • When an existing flow is updated (due to a firewall configuration change)
With the Stateful Firewall and Enhanced Firewall Services (EFS) features activated, more information can be reported in the firewall logs. The firewall logs will contain the following fields: Time, Segment, Edge, Action, Interface, Protocol, Source IP, Source Port, Destination IP, Destination Port, Extension Headers, Rule, Reason, Bytes Sent, Bytes Received, Duration, Application, Destination Domain, Destination Name, Session ID, Signature ID, Signature, Attack Source, Attack Target, Severity, Category, IDS Alert, IPS Alert, URL, Engine Types, URL Categories, URL Category Filter Action, URL Reputation, URL Reputation Action, IP Categories, and Malicious IP Action.
Note: Not all fields will be populated for all firewall logs. For example, Reason, Bytes Received/Sent, and Duration are fields included in logs when sessions are closed. Signature ID, Signature, Attack Source, Attack Target, Severity, Category, IDS Alert, IPS Alert, URL, Engine Types, URL Categories, URL Category Filter Action, URL Reputation, URL Reputation Action, IP Categories, and Malicious IP Action are populated only for EFS alerts, not for firewall logs.
You can view the firewall logs by using the following firewall features:
  • Hosted Firewall Logging - Allows you to turn ON or OFF the Firewall Logging feature at the Enterprise Edge level to send Firewall logs to the Orchestrator.
    Note: Starting with the 5.4.0 release, for Hosted Orchestrators, the Enable Firewall Logging to Orchestrator capability is activated by default for new and existing Enterprises. At the Edge level, customers must activate Hosted Firewall Logging to send Firewall logs from the Edge to the Orchestrator. For On-Prem Orchestrators, customers must contact their Operators to activate the Enable Firewall Logging to Orchestrator capability.

    You can view the Edge Firewall logs in Orchestrator from the Monitor > Firewall Logs page. For more information, see Monitor Firewall Logs.

  • Syslog Forwarding - Allows you to view the logs by sending the logs originating from Enterprise SD-WAN Edge to one or more configured remote servers. By default, the Syslog Forwarding feature is deactivated for an Enterprise. To forward the logs to remote Syslog collectors, you must:
    1. Activate the Syslog Forwarding feature under Configure > Edges/Profile > Firewall tab.
    2. Configure a Syslog collector under Configure > Edges/Profile > Device > Syslog Settings. For steps on how to configure Syslog collector details per segment in the SASE Orchestrator, see Configure Syslog Settings for Profiles.
Note: For Edge versions 5.2.0 and above, Hosted Firewall Logging is not dependent on Syslog Forwarding configuration.