tyrosec
asked on
How Stateful Inspection handles ICMP, UDP.ESP and GRE Packets.
so far I understand only TCP connection state will be seen in connection table, or stateful table will have track of all UDP,ESP,ICMP and GRE packets. which one is true ?
One more thing just wanna a know, whats a commands to see the stateful connection table in firewalls (Checkpoint/Cisco ASA/Fortigate/Juniper)
What is DEEP inspection ???
One more thing just wanna a know, whats a commands to see the stateful connection table in firewalls (Checkpoint/Cisco ASA/Fortigate/Juniper)
What is DEEP inspection ???
ASKER
Hi Qlemo... Certainly I understand that ..one question i wanna understand
... we have option that cisco firewalls can be configured in stateful failover i.e., HA(Active/standby)... standby Firewalls suppose to handle all the seesion when active member goes down. Say I have configured IPsec Remote access VPN on active firewall & I have connected VPN RA through my laptop, tunnel is formed between my laptop & active firewall , when failover happpen the standby member will be active, AND Tunnel (my laptop and Firewall) will be remain undistrubed or it will disconnet and we have manually connect the RA VPN.
... we have option that cisco firewalls can be configured in stateful failover i.e., HA(Active/standby)... standby Firewalls suppose to handle all the seesion when active member goes down. Say I have configured IPsec Remote access VPN on active firewall & I have connected VPN RA through my laptop, tunnel is formed between my laptop & active firewall , when failover happpen the standby member will be active, AND Tunnel (my laptop and Firewall) will be remain undistrubed or it will disconnet and we have manually connect the RA VPN.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
But suggest some Materials to know boardly "How Stateful session handles the TCP/UDP/GRE/ICMP Protocol"
Deep Inspection (DI) analyzes the payload of packets in addition to the header. SPI (stateful package inspection), which is what is done without DI, applies only on headers. With DI you can filter e.g. http traffic, inspecting and optionally removing any JavaScript contents.
SPI only cares if ingress traffic has been asked for, by comparing protocol, ports and IP addresses with its session table.
Regarding "see the stateful connection table", the command is similar but different for each firewall. I can tell only for ScreenOS (Juniper SSG/Netscreen), but expect it to be the same on Cisco and JunOS (Juniper SRX & Co): show session . There are more options to restrict the output, and you can apply additional filter commands, but that is getting quite complex and very decice specific.
Stateful inspection and UDP: Connectionless session info is kept in the same session table as for TCP traffic. A timeout value allows for closing the session if either the application layer protocol is unknown, not allowing for terminating "commands", or on communication errors.
If an application layer gateway can be applied (the firewall knows about the protocol, and can hence "see" when a session is "closed"), the session will get closed out ASAP. E.g. for ICMP Echo Request (ping), the session info can be removed as soon as the ICMP Echo Reply, Timeout, Not Reachable etc. messages are received.