Hello everybody, here I am after my (short as always) holidays. I have enjoyed too much in diferent places like Cuba, Pirineos and Torrevieja and now I am ready to update this blog with a few entries.

I have been thinking for long time to write about firewall sessions and now it is time for it.

1. WHAT IS IT?

Well, firewall sesión is one of the main features that basically diference a firewall from a router. Basically routers just pass traffic between two separate networks, and firewalls can actually monitor the traffic and helps block unauthorized traffic.

Perhaps you think you could do this with router ACL feature but it is wrong. A router, independently it has security features or not, is packet filtering based (or stateless) while Firewalls are statefull inspection based.

It means that a router process packets as they arrive and perform the rule match and either drop or forward. Then the next packet starts all over again. Routers have no memory of any connections/sessions/flows.

A firewall maintain a session state table so it knows about "flows" or "connections" between two devices. When the first packet arrives, more processing is done to create the session. Subsequent packets are then just matched to this existing session/flow/connection and permitted through, in fact, firewalls are essentially configured for maintaining sessions and ensuring return traffic is allowed matching same session (in a stateless router, return traffic must be explicitly allowed too).

NOTE: Only allowed traffic creates sessions, dropped traffic do not.

2. PROTOCOL SESSIONS BASIC KNOWLEDGE.

Now we know what is a firewall session, let´s go further on this topic.

As you may know there are mainly two protocols TCP and UDP (we will talk a Little bit about ICMP too).

For your knowledge:

• TPC is proto=6

• UDP is proto=17

• ICMP is proto=1

A firewall, keep sessions of all of this protocols but how protocol is diferent and has its own session states. You can check the session state.

• TCP SESSION STATES:

NOTE: A statefull firewall also keeps the track of the 'reply session', this is why proto_state has 2 digits : proto_state=OR meaning Original direction and the Reply direction

NOTE: Depending of Firewall manufacturer, session state will have a default expired timmer, which specify how much time the session can still alive in that state.

If you are curious and would like to know more about the process of a TCP session, you can just use a search engine like Google to find “TCP Finite State Machine” and know more about that, if not, here you are a brief diagram:

• UDP SESSION STATES:

NOTE: Even though UDP is a sessionless protocol, the FortiGate still keeps track of 2 different 'states'

• ICMP SESSION STATES:

There are no states for ICMP, it always show proto_state=00

This is just an introduccion to Firewall Sessions, you can see more advanced posts in troubleshooting category.

Nice end of summer for all!!