Configuring global state policies
You can change behavior to be globally stateful by setting a global state policy with security firewall global-state-policy <protocol>. When state policies are defined, state rules for return traffic of that type need not be explicitly mentioned within the rule sets.
The following apply to global stateful rules:
- A global stateful rule affects only the firewall rules that explicitly (or by inference) refer to that protocol. This inference can occur if the protocol keyword has been omitted for TCP, ICMP or ICMPv6 rules.
- ICMP sessions are created only for echo-request packets. Attempting to create a session for an echo-response results in a packet drop.
- It is usually not necessary to specify default-action (or default-log). Reserve default-action for use with a stateless firewall if you want to block only a few packets and pass all others using default-action accept.
Consider the following configuration. In this configuration, each of the rules 10, 20, 30, 40, 100, 200 act as if they also had state enable present. Rule 400 is not affected, and does not enable a state.
The following protocol-specific notes apply to this example:
ICMP
An IPv4 ICMP echo-request packet matches rule 10, creates a state, and allows ICMP echo-response packets to be received. The same applies to IPv6 ICMP echo-request packets and rule 20.
ICMP sessions are created only for echo-request packets. Any attempt to create a session for echo-response packet fails. An echo-response in the presence of the example ruleset will match rule 30 (or 40 for IPv6), and be dropped. Other ICMP packets are allowed through. In this example, it is not necessary to use the security firewall global-state-policy icmp rule because state enable can be used for rule 10 or 20. ICMP errors corresponding to an existing session are always passed (and NAT translated) unless explicitly blocked by a firewall rule.
TCP
For TCP, rule 200 allows outbound traffic to port 80 (http), and allows its response packets. Rule 400 allows out all other packets (including other TCP packets), but packets matching these rules do not create a state. Outbound TCP traffic to a port such as port 88 is allowed, but its response packets are blocked.
UDP
The example ruleset allows all UDP traffic, including requests and responses.
Example configuration
security {
firewall {
global-state-policy {
icmp
tcp
udp
}
name GblState {
rule 10 {
action accept
icmp {
name echo-request
}
}
rule 20 {
action accept
icmpv6 {
name echo-request
}
}
rule 30 {
action accept
protocol icmp
}
rule 40 {
action accept
protocol ipv6-icmp
}
rule 100 {
action accept
protocol udp
}
rule 200 {
action accept
destination {
port 80
}
protocol tcp
}
rule 400 {
action accept
}
}
}
}Example steps to configure a global firewall policy to allow all return traffic
The following example shows the steps to configure a firewall globally to allow all return traffic. In addition, the firewall allows any traffic (such as FTP data) that is related to allowed traffic in the original direction. The firewall drops invalid traffic.
To configure this global stateful behavior, perform the following steps in configuration mode.
| Step | Command |
|---|---|
|
Configure global state policy. | |
|
Commit the configuration. | |
|
Show the state policy configuration. | |