Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How Stateful Inspection handles ICMP, UDP.ESP and GRE Packets.

Posted on 2011-03-11
4
Medium Priority
?
3,009 Views
Last Modified: 2012-05-11
so far I understand only TCP connection state  will be seen in connection table, or  stateful table will have track of all UDP,ESP,ICMP and GRE packets. which one is true ?

One more thing just wanna a know, whats a commands to see the stateful connection table  in firewalls (Checkpoint/Cisco ASA/Fortigate/Juniper)
 
What is DEEP inspection ???

0
Comment
Question by:tyrosec
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 71

Expert Comment

by:Qlemo
ID: 35115702
That are a lot of questions, and they can't be answered that simple. But I'll try.

Deep Inspection (DI) analyzes the payload of packets in addition to the header. SPI (stateful package inspection), which is what is done without DI, applies only on headers. With DI you can filter e.g. http traffic, inspecting and optionally removing any JavaScript contents.
SPI only cares if ingress traffic has been asked for, by comparing protocol, ports and IP addresses with its session table.

Regarding "see the stateful connection table", the command is similar but different for each firewall. I can tell only for ScreenOS (Juniper SSG/Netscreen), but expect it to be the same on Cisco and JunOS (Juniper SRX & Co):  show session . There are more options to restrict the output, and you can apply additional filter commands, but that is getting quite complex and very decice specific.

Stateful inspection and UDP: Connectionless session info is kept in the same session table as for TCP traffic. A timeout value allows for closing the session if either the application layer protocol is unknown, not allowing for terminating "commands", or on communication errors.
If an application layer gateway can be applied (the firewall knows about the protocol, and can hence "see" when a session is "closed"), the session will get closed out ASAP. E.g. for ICMP Echo Request (ping), the session info can be removed as soon as the ICMP Echo Reply, Timeout, Not Reachable etc. messages are received.
0
 

Author Comment

by:tyrosec
ID: 35115967
Hi  Qlemo... Certainly  I understand that ..one question i wanna understand

... we  have option that cisco firewalls  can be configured in stateful failover  i.e., HA(Active/standby)... standby Firewalls suppose to handle all the seesion when  active member goes down. Say  I have configured  IPsec Remote access VPN on active firewall &  I have connected VPN RA through my laptop,  tunnel is formed between my laptop &  active firewall , when failover happpen the standby member will be active,  AND Tunnel (my laptop and Firewall) will be remain undistrubed or  it will disconnet and we have manually connect  the RA VPN.

0
 
LVL 71

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 35115975
"stateful failover" implies that the state is failed over, too. Active/standby need to exchange session info all the time (from the active member to the passive). There might be a small lag, because failover does not work immediately (it needs a small amount of time to recognize the failure), but that should not be more than a short "hick-up". No service should break, including VPN.
0
 

Author Comment

by:tyrosec
ID: 35137633
But suggest some Materials to know boardly "How Stateful session handles the TCP/UDP/GRE/ICMP Protocol"  
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question