Technical Documentation

Configuring Stateful Firewall (NSM Procedure)

Stateful firewall is a type of firewall filter that considers state information derived from previous communications and other applications when evaluating traffic. Contrasted with a stateless firewall that inspects packets in isolation, a stateful firewall provides an extra layer of security by using state information derived from past communications and other applications to make dynamic control decisions for new communication attempts.

To configure stateful firewall in NSM:

  1. In the navigation tree select Device Manager > Devices.
  2. In the Devices list, double-click the device to select it.
  3. In the Configuration tab, expand Services > Stateful Firewall.
  4. Add or modify the settings as specified in Table 1.
  5. Click one:
    • OK—To save the changes.
    • Cancel—To cancel the modifications.

Table 1: Stateful Firewall Configuration Details

Task Your Action

Define the rule.
  1. Click Rule next to Stateful Firewall.
  2. Click Add new entry next to Rule.
  3. In the Name box, enter the identifier for the collection of terms that constitute this rule.
  4. In the Comment box, enter the comment.
  5. From the Match Direction list, select the direction in which the rule match is applied.
    • Select input to apply the rule match on the input side of the interface.
    • Select output to apply the rule match on the output side of the interface.
    • Select input-output to apply the rule match bidirectionally.
  6. Click Term next to rule.
  7. Click Add new entry next to Term.
  8. In the Name box, enter the identifier for the term.
  9. In the Comment box, enter the comment.
  10. Expand term.
  11. Click From next to term.
  12. In the Comment box, enter the comment.
  13. Expand From.
  14. From the listed match conditions, select the match condition for stateful firewall.

    The match conditions listed are Application Sets, Applications, Destination Address, Destination Address Range, Destination Prefix List, Source Address, Source Address Range, and Source Prefix List.

  15. Click Then next to term.
  16. In the Comment box, enter the comment.
  17. Select the Syslog check box to enable system logging.
  18. Expand Then.
  19. Click Accept next to Then.
    • Select Accept to accept the traffic and send it on to its destination.
    • Select discard to not accept traffic or process it further.
    • Select reject to accept the traffic and return a rejection message.
  20. Click Allow Ip Options next to Then.
  21. Click Add new entry next to Allow Ip Options.
  22. From the dropdown list, select the IP option name.

Define the rule set.
  1. Click Rule Set next to Stateful Firewall.
  2. Click Add new entry next to Rule Set.
  3. In the Name box, enter the identifier for the collection of rules that constitute this rule set.
  4. In the Comment box, enter the comment.
  5. Click Rule next to rule-set.
  6. Click Add new entry next to Rule.
  7. From the Name list, select the identifier for the collection of terms that constitute this rule.
  8. In the Comment box, enter the comment.

Published: 2009-08-23