Stateful Inspection Process - ZyXEL Communications VANTAGE CNM User Manual

Vantage CNM User's Guide
are allowed in. The ZyXEL device uses stateful packet inspection to protect the private LAN
from hackers and vandals on the Internet. By default, the ZyXEL device's stateful inspection
allows all communications to the Internet that originate from the LAN, and blocks all traffic to
the LAN that originates from the Internet. In summary, stateful inspection:
• Allows all sessions originating from the LAN (local network) to the WAN (Internet).
• Denies all sessions originating from the WAN to the LAN.

12.4.1 Stateful Inspection Process

In this example, the following sequence of events occurs when a TCP packet leaves the LAN
network through the firewall's WAN interface. The TCP packet is the first in a session, and the
packet's application layer protocol is configured for a firewall rule inspection:
1 The packet travels from the firewall's LAN to the WAN.
2 The packet is evaluated against the interface's existing outbound access list, and the
packet is permitted (a denied packet would simply be dropped at this point).
3 The packet is inspected by the firewall to determine and record information about the
state of the packet's connection. This information is recorded in a new state table entry
created for the new connection. If there is not a firewall rule for this packet and it is not an
attack, then Firewall Summary screen's Action for packets that don't match firewall
rules field determines the action for this packet.
4 Based on the obtained state information, a firewall rule creates a temporary access list
entry that is inserted at the beginning of the WAN interface's inbound extended access
list. This temporary access list entry is designed to permit inbound packets of the same
connection as the outbound packet just inspected.
5 The outbound packet is forwarded out through the interface.
6 Later, an inbound packet reaches the interface. This packet is part of the connection
previously established with the outbound packet. The inbound packet is evaluated against
the inbound access list, and is permitted because of the temporary access list entry
previously created.
7 The packet is inspected by a firewall rule, and the connection's state table entry is updated
as necessary. Based on the updated state information, the inbound extended access list
temporary entries might be modified, in order to permit only packets that are valid for the
current state of the connection.
8 Any additional inbound or outbound packets that belong to the connection are inspected
to update the state table entry and to modify the temporary inbound access list entries as
required, and are forwarded through the interface.
9 When the connection terminates or times out, the connection's state table entry is deleted
and the connection's temporary inbound access list entries are deleted.
175 Chapter 12 Configuration > Firewall