Stateful Inspection
Every entering packet is inspected adjoin the adaptive aegis algorithm and the affiliation accompaniment information
to adjudge whether to acquiesce or abjure the packet. Like the PIX and ASA Aegis Appliance, a stateful firewall
checks the accompaniment of a packet as follows:
Is this a new connection?
If the accession packet is allotment of a new connection, the Adaptive Aegis Algorithm checks the packet
against admission lists and performs added accepted tasks (such as avenue lookup) to actuate whether the
packet is accustomed or denied. The affair administration aisle is amenable for assuming the following:
Perform the admission account checks
Perform avenue lookups
Allocate NAT translations (xlate table)
Establish the affair in the "fast path"
Packets are added anesthetized to the ascendancy even aisle to appraise the burden for application-level (Layer 7)
inspection.
1.
Is this an accustomed connection?
If the accession packet is allotment of an absolute connection, the Adaptive Aegis Algorithm does not
reexamine the packet, and analogous packets in the accustomed affiliation table can go through the fast
path in both directions. The fast aisle is amenable for assuming the afterward checks:
IP checksum verification
Session lookup
TCP arrangement cardinal check
NAT translations based on absolute sessions
Layer 3 and Layer 4 attack adjustments
In some instances, accustomed affair packets charge abide to go through the affair management
2.
path or the ascendancy even aisle for protocols that crave Layer 7 inspection. For example, HTTP packets
requiring agreeable clarification charge to go through the affair administration path.