Table of contents

Define stateful firewall configurations

The Workload Security stateful firewall configuration mechanism analyzes each packet in the context of traffic history, correctness of TCP and IP header values, and TCP connection state transitions. In the case of stateless protocols like UDP and ICMP, a pseudo-stateful mechanism is implemented based on historical traffic analysis. Packets are handled by the stateful mechanism as follows:

  1. A packet is passed to the stateful routine if it has been allowed through by the static firewall rule conditions,
  2. The packet is examined to determine whether it belongs to an existing connection, and
  3. The TCP header is examined for correctness (for example, sequence numbers, flag combinations, and so on).

To create a new stateful configuration, you need to do the following:

  1. Add a stateful configuration.
  2. Enter stateful configuration information.
  3. Select packet inspection options.

When you are done with your stateful configuration, you can also learn how to do the following:

Add a stateful configuration

There are three ways to define a stateful configuration on the Policies > Common Objects > Other > Firewall Stateful Configurations page:

  • To create a new configuration, click New > New Firewall Stateful Configuration.
  • To import a configuration from an XML file, click New > Import From File.
  • Copy and then modify an existing configuration. Right-click the configuration in the Firewall Stateful Configurations list, and then click Duplicate. To edit the new configuration, select it and then click Properties.

Enter stateful configuration information

Enter a Name and Description for the configuration.

Select packet inspection options

You can define options for IP, TCP, UDP and ICMP packet inspection, end enable Active or Passive FTP.

IP packet inspection

Under the General tab, select the Deny all incoming fragmented packets to drop any fragmented packets. Dropped packets bypass fragmentation analysis and generate an IP fragmented packet log entry. Packets with a total length smaller than the IP header length are dropped silently.

Attackers sometimes create and send fragmented packets in an attempt to bypass Firewall rules.

The Firewall Engine, by default, performs a series of checks on fragmented packets. This is default behavior and cannot be reconfigured. Packets with the following characteristics are dropped:
  • Invalid fragmentation flags/offset: A packet is dropped when either the DF and MF flags in the IP header are set to 1, or the header contains the DF flag set to 1 and an Offset value different than 0.
  • First fragment too small: A packet is dropped if its MF flag is set to 1, its Offset value is at 0, and it has total length of less than 120 bytes (the maximum combined header length).
  • IP fragment out of boundary: A packet is dropped if its Offset flag value combined with the total packet length exceeds the maximum datagram length of 65535 bytes.
  • IP fragment offset too small: A packet is dropped if it has a non-zero Offset flag with a value that is smaller than 60 bytes.

TCP packet inspection

Under the TCP tab, select which of the following options you would like to enable:

  • Deny TCP packets containing CWR, ECE flags: These flags are set when there is network congestion.

    RFC 3168 defines two of the six bits from the Reserved field to be used for ECN (Explicit Congestion Notification), as follows:
    • Bits 8 to 15: CWR-ECE-URG-ACK-PSH-RST-SYN-FIN
    • TCP Header Flags Bit Name Reference:
      • Bit 8: CWR (Congestion Window Reduced) [RFC3168]
      • Bit 9: ECE (ECN-Echo) [RFC3168]
    Automated packet transmission (such as that generated by a denial of service attack, among other things) often produce packets in which these flags are set.

  • Enable TCP stateful inspection: Enable stateful inspection at the TCP level. If you enable stateful TCP inspection, the following options become available:

    • Enable TCP stateful logging: Selecting this option enables logging of TCP stateful inspection events.
    • Limit the number of incoming connections from a single computer to: Limiting the number of connections from a single computer can lessen the effect of a denial of service attack.
    • Limit the number of outgoing connections to a single computer to: Limiting the number of outgoing connections to a single computer can significantly reduce the effects of Nimda-like worms.
    • Limit the number of half-open connections from a single computer to: Setting a limit here can protect you from DoS attacks like SYN Flood. Although most servers have timeout settings for closing half-open connections, setting a value here can prevent half-open connections from becoming a significant problem. If the specified limit for SYN-SENT (remote) entries is reached, subsequent TCP packets from that specific computer will be dropped.

      When deciding on how many open connections from a single computer to allow, choose your number from somewhere between what you would consider a reasonable number of half-open connections from a single computer for the type of protocol being used, and how many half-open connections from a single computer your system can maintain without getting congested.

    • Enable ACK Storm protection when the number of already acknowledged packets exceeds: Setting this option logs an event that an ACK Storm attack has occurred.

      • Drop Connection when ACK Storm detected: Setting this option drops the connection if such an attack is detected. ACK Storm protection options are only available on version 8.0 and earlier agents.

FTP Options

If you are using the agent version 8.0 or earlier agents, you can enable the following options under the FTP Options tab:

  • Active FTP
    • Allow Incoming: Allow Active FTP when this computer is acting as a server.
    • Allow Outgoing: Allow Active FTP when this computer is acting as client.
  • Passive FTP
    • Allow Incoming: Allow Passive FTP when this computer is acting as a server.
    • Allow Outgoing: Allow Passive FTP when this computer is acting as a client.

UDP packet inspection

Under the UDP tab, you can enable the following options:

  • Enable UDP stateful inspection: Select to enable stateful inspection of UDP traffic.

    The UDP stateful mechanism drops unsolicited incoming UDP packets. For every outgoing UDP packet, the rule updates its UDP stateful table and then only allows a UDP response if it occurs within 60 seconds of the request. If you wish to allow specific incoming UDP traffic, to create a Force Allow rule. For example, if you are running a DNS server, create a Force Allow rule to allow incoming UDP packets to destination port 53.

Without stateful inspection of UDP traffic, an attacker can masquerade as a DNS server and send unsolicited UDP replies from source port 53 to computers behind a firewall.

  • Enable UDP stateful logging: Selecting this option enables the logging of UDP stateful inspection events.

ICMP packet inspection

If you are using the agent version 8.0 or earlier agents, you can enable the following options under the ICMP tab you can enable the following options:

  • Enable ICMP stateful inspection: Select to enable stateful inspection of ICMP traffic.

    The ICMP (pseudo-)stateful mechanism drops incoming unsolicited ICMP packets. For every outgoing ICMP packet, the rule creates or updates its ICMP stateful table and then only allows a ICMP response if it occurs within 60 seconds of the request. ICMP pair types supported: Type 0 & 8, 13 & 14, 15 & 16, 17 & 18.

With stateful ICMP inspection enabled, you can, for example, only allow an ICMP echo-reply in if an echo-request has been sent out. Unrequested echo-replies could be a sign of several kinds of attack including a Smurf amplification attack, a Tribe Flood Network communication between master and daemon, or a Loki 2 back-door.

  • Enable ICMP stateful logging: Selecting this option enables the logging of ICMP stateful inspection events.

Export a stateful configuration

You can export all stateful configurations to a .csv or .xml file by clicking Export and selecting the corresponding export action from the list. You can also export specific stateful configurations by first selecting them, clicking Export and then selecting the corresponding export action from the list.

Delete a stateful configuration

To delete a stateful configuration, right-click the configuration in the Firewall Stateful Configurations list, click Delete, and then click OK.

Stateful configurations that are assigned to one or more computers or that are part of a policy cannot be deleted.

View policies and computers with assigned stateful configuration

You can see which policies and computers are assigned to a stateful inspection configuration on the Assigned To tab. Click on a policy or computer in the list to see their properties.