topic Re: Statefull Firewall in General Topics

Statefull Firewall

gurowar — Tue, 27 Feb 2024 21:47:22 GMT

Good day all;

I have a question I have an internal server that is initiating a HTTPS connection to AWS via the internet, the connection fails and when I check it is being dropped by the clean up rule. I thought that since this is a statefull firewall and the connection is initialed internally I wouldn't need to apply a policy to allow this connection. What am I doing wrong?

Thank you in advance!!!

Warren

Re: Statefull Firewall

Chris_Atkinson — Tue, 27 Feb 2024 22:50:29 GMT

There needs to be a rule allowing the initiator of the connection, then the reply traffic will be statefully matched.

Do you have rules allowing the internal zone or subnets outbound?

Re: Statefull Firewall

the_rock — Wed, 28 Feb 2024 02:50:18 GMT

As Chris said, you need a rule to allow initial connection, not the other way around, as it would be stateful.

Best,

Andy

Re: Statefull Firewall

Lesley — Wed, 28 Feb 2024 08:59:49 GMT

Looks like you don't have a firewall rule for this traffic.

Should be something like:

src: internal IP

dst: aws

port:443

allow

You don't have to make a rule for src;AWS, dst: internal IP. That is the statefull part

Re: Statefull Firewall

Timothy_Hall — Wed, 28 Feb 2024 15:02:14 GMT

If this HTTPS traffic is subject to NAT, make sure you are using the "original" pre-NAT IP addresses for matching in your Access Control policy. It won't match properly against the post-NAT addresses and will fall to the cleanup rule.

Re: Statefull Firewall

gurowar — Thu, 29 Feb 2024 14:33:22 GMT

Thanks guys yeah I don't have a rule in place yet, I got caught up because I tried to ping 8.8.8.8 and when it didn't work I started focusing on that. I thought all outbound connectivity was allowed by default but thank you for your help I will put in a rule for aws.

Thank you guys!!!

Warren

Re: Statefull Firewall

the_rock — Thu, 29 Feb 2024 14:39:30 GMT

As long as its fixed mate, now you know for next time 🙂

Best,

Andy

Re: Statefull Firewall

gurowar — Thu, 29 Feb 2024 14:42:41 GMT

Yes that is true, thank you again for your help!!

Thank you, sir!!

Warren

Re: Statefull Firewall

the_rock — Thu, 29 Feb 2024 14:45:21 GMT

No worries. Put it this way...regardless of what fw you use, Cisco, Sonicwall, CP, FGT, PAN...makes no difference, you just need to know that when you place a rule for OUTBOUND connection to the Internet, no need for return rule, its stateful at that point, unless obviously you need to allow someone to access your host on the LAN from the Internet, you need to do NAT, port forwarding, what have you...you get the idea 🙂

Best,

Andy