Firewall: State full vs State less


In my previous posts I explained the difference between routers and switches and how they are integral for networks to be formed and communication to take place between them. So where does a firewall come into play?

A firewall is anything that sits in between, that can deny traffic from reaching it’s destination even though a valid path was available. A firewall is also a router because it first makes routing decisions and then proceeds to make firewalling decisions. However, the key difference between the two is that a router allows all traffic that it can route by default whereas a firewall denies all traffic it has a valid route for by default.

This key difference is what separates a router from a firewall. A router can also perform some firewall functions with the use of access controlled lists (ACLs), but it is generally limited as will be explained later in this post.


Types of Firewall functions:

  • Stateless
  • State full

A stateless firewall feature is where a policy created to allow traffic between two networks doesn’t perform any function to allow return traffic by default. A firewall policy configured using an access list mimics this function.

Applications usually have a basic requirement of cross communication over ports. This requirement means that usually when an end device tries to communicate, it expects return traffic to come its way. With the use of stateless firewalling, you will have to create another rule to allow return traffic as well as the firewall feature in use doesn’t support the maintenance of a ‘state’ between the sender and destination end device. Routers usually only support stateless firewalling.

A state full firewall on the other hand supports the creation of a session between the sender and the destination address which then allows return traffic to pass through freely. All purpose built firewalls are usually state full firewalls.


Application Layer Gateway:

Application Layer Gateway or ALG simply means inspecting the packet further and allowing/denying traffic based on what application is being used. Referring to the OSI reference model, firewalls usually operate on the network layer level. They normally look at the source and destination IP address of the sender and receiver along with the port used. However, with ALG, this capability can be extended further to allow/deny traffic based on the kind of application in use. This function transcends them from a mere network layer device to a device that is capable of working at the higher layers of the OSI reference model. ALG has enhanced the capability of modern firewalls to unprecedented levels with most firewalls these days providing anti-virus support and threat management in their arsenal.

The enterprise firewall market is currently being dominated by Cisco, Juniper, Fortinet, Chechpoint and Palo Alto. Start today by learning how to configure a state full firewall policy on the Juniper SRX firewall here.

Got questions? Leave a comment! Let’s chat.

Rafay Rasool is a Network Specialist with over 10 years of experience designing, configuring and implementing core network solutions based predominantly but not limited to Juniper Routers, Switches and Firewalls along with other vendors such as Cisco, Huawei, Siemens, Aerohive, Ringmaster, Pulse etc for Internet Service Provider and Enterprise Networks.

Rafay is an avid supporter of network automation and likes to code and automate networking solutions.