A firewall is a network security device that checks all incoming and outgoing network traffic and, based on a set of security rules, decides whether to let or stop certain traffic. For Profiles and Edges, SD-WAN Orchestrator lets you configure both stateless and stateful routers.
In a stateful firewall, the operating state and characteristics of each and every network connection that passes through the firewall are monitored and tracked. This information is then used to determine which network packets are permitted to pass through the firewall. Stateful firewalls construct a state table and make use of this table to restrict the flow of traffic to only those connections that are currently mentioned in the state table. Once a connection has been removed from the state table, it is not possible for any traffic to originate from the external device that was associated with this connection.
The following are some benefits of the Stateful firewall feature:
- Stop assaults like spoofing and denial of service (DoS).
- More robust logging
- Enhanced security for networks
The following are the primary distinctions that can be made between a stateful firewall and a stateless firewall:
- We match in a specific direction. You can set it up so that hosts on VLAN 1 can start a TCP session with hosts on VLAN 2, but not the other way around. This kind of granular control is not possible with stateless firewalls since they translate to basic ACLs (Access lists).
- A session-aware firewall is stateful. For instance, a stateful firewall will not let an ACK or a SYN-ACK to start a new session using the three-way handshake of TCP. The TCP session must begin with a SYN, and any subsequent packets must likewise adhere to the protocol precisely to avoid being rejected by the firewall. A stateless firewall filters packets solely on an individual packet basis; it does not understand sessions.
- Symmetric route is enforced by a stateful firewall. It is very usual for asymmetric routing to happen in a VMware network, where traffic comes in through one Hub and leaves through another. The packet can still get to its target with the help of third-party routing. This kind of data would be dropped by a stateful firewall though.
- Following a configuration update, the firewall rules that are considered stateful are rechecked against the existing flows. In other words, the firewall will recheck the flow against the new rule set and drop it if it has already been accepted. This is because the stateful firewall can be configured to discard packets. The session close will be recorded in the firewall log and any pre-existing flows will time out if a “allow” is modified to “drop” or “reject”.
The following are the prerequisites for utilizing the Stateful Firewall:
- The VMware SD-WAN Edge must be running at least Release 3.4.0.
- For new users who buy an SD-WAN Orchestrator with version 3.4.0 or later, the Stateful Firewall feature is turned on by default. Customers who were made on a 3.x Orchestrator will need help from a Partner or VMware SD-WAN Support to turn this feature on.
- The enterprise user is able to enable or deactivate the Stateful Firewall functionality at the Profile and Edge level when using the SD-WAN Orchestrator. This is done from the Firewall page that corresponds to the profile or edge level. It is necessary to get in touch with an Operator who has Super User authority in order to deactivate the Stateful Firewall feature for an enterprise.
Edges that have engaged a stateful firewall do not support asymmetric routing.
Set up the Firewall Profile.
As a network security device, a firewall is responsible for monitoring both incoming and outgoing network traffic. It then makes a decision regarding whether or not to allow or block particular traffic based on a predetermined set of security rules. The SD-WAN Orchestrator allows for the configuration of both stateless and stateful firewalls for Edges and Profiles.
Configure Profile Firewall
To set up Profile Firewall with the New Orchestrator User Interface:
- Access to Configure > Profiles on the Enterprise portal. Current Profiles are shown on the Profiles page.
- Click the link to the Profile or the View link in the Firewall column of the Profile to configure the Profile.
- Pick up the Firewall tab.
- You have the ability to configure the following Edge Security and Firewall capabilities by using the Firewall tab. No Attachment Found