A stateful firewall in SRX Series devices keeps track of the state of network connections, distinguishing legitimate packets for different types of connections and allowing only packets that match a known active connection. Sessions are created when a TCP SYN packet is received and permitted by the security policy1.
A security policy is a set of rules that defines how traffic is processed by the SRX Series device. A security policy applies the security rules to the transit traffic within a context (from-zone to to-zone) and each policy is uniquely identified by its name. The traffic is classified by matching the source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database in the data plane2.
A Layer 3 route is a path that a packet takes to reach its destination based on the destination IP address. The SRX Series device performs a longest-match Layer 3 route table lookup to determine the next hop for the packet3.
An Application Layer Gateway (ALG) is a software component that provides application-level awareness, security, and control for specific protocols. An ALG inspects the application-layer payload of a packet and modifies it if necessary to allow the application to traverse the SRX Series device. For example, an ALG can rewrite IP addresses and port numbers in the payload of FTP or SIP packets4.
The sequence that an SRX Series device uses when implementing stateful session security policies using Layer 3 routes is as follows3:
The SRX Series device receives a packet and conducts a longest-match Layer 3 route table lookup to determine the next hop for the packet.
The SRX Series device performs a security policy search to find a matching policy for the packet based on the source and destination zones, addresses, and application.
If a matching policy is found, the SRX Series device checks the action of the policy, which can be permit, deny, reject, or tunnel. If the action is permit, the SRX Series device allows the packet to pass through and creates a session for the packet. If the action is deny or reject, the SRX Series device drops the packet and sends an ICMP message to the sender. If the action is tunnel, the SRX Series device encapsulates the packet and forwards it to the tunnel destination.
If the packet requires an ALG, the SRX Series device applies the ALG to the packet and modifies the payload if necessary. The ALG also creates additional sessions for the packet if needed.
The SRX Series device forwards the packet to the next hop based on the routing information.
Submit