Skip to content Skip to navigation Skip to footer

What Is Stateful Firewall?

A stateful firewall, situated at Layers 3 and 4 of the Open Systems Interconnection (OSI) model, is a kind of firewall that keeps track of the state of active network connections while analyzing incoming traffic, looking for potential risks. 

Basic firewall features include blocking traffic designated as dangerous from either coming into a network or leaving it. It is important to monitor the state and context of network communications because this information can be used to identify threats—either based on where they are coming from, where they are going, or the content of their data packets. 

Stateful firewalls can detect attempts by unauthorized individuals to access a network, as well as analyze the data within packets to see if they contain malicious code.

What Is State?

The state is the most recent or immediate status of a process or application. In a firewall, the state of connections is stored, providing a list of connections against which to compare the connection a user is attempting to make. Devices that track state ascertain which states are safe and which pose threats.

What Is Context?

Context refers to Internet Protocol (IP) addresses, packets, and other kinds of data that can be used to provide evidence of repeated patterns. In the context of a connection, a stateful firewall can, for example, examine the contents of data packets that came through the firewall and into the network. If these packets contain unsafe data, they can be blocked by a stateful firewall in the future.

How a Stateful Firewall Works

A stateful firewall collects data regarding every connection made through it. All of these data points form profiles of “safe” connections. When a subsequent connection is attempted, it is checked against the list of attributes collected by the stateful firewall. If it has the qualities of a safe connection, it is allowed to occur. If not, the data packets are discarded. Data packets contain information about the data within them. A stateful firewall performs packet inspection, which checks the contents of packets to see if they pose threats.

Stateful firewalls can also integrate additional services, such as encryption or tunnels. These boost performance because they block malicious actors from reading the contents of communications, thereby making the connection safer through access control.

Stateful Packet Inspection

Stateful packet inspection is a technology used by stateful firewalls to determine which packets to allow through the firewall. It works by examining the contents of a data packet and then comparing them against data pertaining to packets that have previously passed through the firewall. 

Stateful packet filtering keeps track of all connections on the network, making sure they are all legitimate. Network-based static packet filtering also examines network connections, but only as they come in, focusing on the data in the packets’ headers. This data provides less information to the firewall, limiting it to where it came from and where it is going.

Transport Control Protocol (TCP)

TCP is one of the primary protocols the internet uses to send and receive data, allowing data to be sent and received at the same time. In addition to helping transmit information, TCP contains data that can result in a reset (RST) of the connection, stopping it completely. TCP also dictates when the transmission should end with a FIN (finish) command. It groups data into packets, and when they arrive at the destination, the packets are reassembled into data the receiver can understand. 

Stateful firewalls use TCP traffic to keep track of connections by examining the contents of the packets created in the TCP process. The three stages of a TCP connection—synchronize (SYN), synchronize-acknowledge (SYN-ACK), and acknowledge (ACK)—are used by a stateful inspection firewall to identify the parties involved in order to spot a potential threat. If signs of a bad actor are revealed as the TCP handshake takes place, the stateful firewall can discard the data.

Three-way Handshake

The three-way handshake involves both sides of the data transmission process synchronizing to initiate a connection, then acknowledging each other. In this process, each side transmits information to the other side, and these are examined to see if anything is missing or not in the proper order. 

As the handshake occurs, a stateful firewall can examine the data being sent and use it to glean information regarding the source, destination, how the packets are sequenced, and the data within the packet itself. If threats are detected, the firewall can reject the data packets.

Differences Between a Stateful and Stateless Firewall

A stateless firewall uses a predefined set of rules to thwart cyber criminals. If the data packet conforms to the rules, it is judged as “safe” and is allowed to pass through. In this way, traffic is classified instead of inspected. The process is less rigorous compared to what a stateful firewall does. 

For example, a stateless firewall does not differentiate between certain kinds of traffic, such as Secure shell (SSH) versus File Transfer Protocol (FTP). A stateless firewall may simply classify these as “safe” and allow them to pass through, which can result in potential vulnerabilities.

Next-generation Firewalls (NGFWs) Provide More Protection Than Stateful Firewalls

NGFWs offer the same capabilities as stateful inspection because they perform deep packet inspection (DPI), examining the packets’ payloads and their header information. NGFWs can also incorporate artificial intelligence (AI) to identify previously unknown threats.

The FortiGate NGFW inspects traffic as it comes into a network and as it leaves, leveraging DPI and machine learning (ML) to catch threats. Fortinet is a Leader in Gartner’s Magic Quadrant for Network Firewalls.