Policy rule is not stateful !?

ArnaudG · March 25, 2024, 7:43pm

Hello,
in a context of AOS8 core switch doing level 3 routing I have to push the ACLs (policy rules) to the maximum restrictions. The goal is to have the most precise rules possible with traffic blocking by default.
With my tests I realize that the ACLs are not stateful !
.
Example of a workstation needing to connect to a server :

qos enable

policy network group PC 192.168.1.11
policy network group SRV 192.168.3.1

policy action ACCEPT
policy action DENY disposition deny

policy condition C_ANY-ANY source ip Any destination ip Any
policy rule "DENY C_ANY-ANY" precedence 200 condition C_ANY-ANY action DENY

policy condition C_ARP ethertype 0x806
policy rule "ACCEPT_ARP" precedence 1000 condition C_ARP action ACCEPT

policy condition C_PC_SRV source network group PC destination network group SRV
policy rule "ACCEPT C_PC_SRV" precedence 1000 condition C_PC_SRV action ACCEPT

qos apply

=> no connection
.

policy condition C_SRV_PC source network group SRV destination network group PC
policy rule "ACCEPT C_SRV_PC" precedence 1000 condition C_SRV_PC action ACCEPT
qos apply

=> ok connection
.
Going further I could authorize with 2 rules (with SSH connection for example):
1/ PC → SRV:22 (request)
2/ SRV:22 → PC (response)

but it’s super complicated to set up in a complex network!!!
.
Is there a method to enable stateful mode (no need to handle/allow response when request is allowed)?

thanks by advance !

pmart · March 26, 2024, 3:41pm

Hello,

Unlike firewall rules which are stateful, ACLs are stateless. For TCP traffic there’s the “established” option that can check if this flag is set on return traffic.

ArnaudG · April 2, 2024, 9:58pm

Hello,
so for TCP connections it is enough to add “established” option for the policy conditions of the return traffic ? I will test…
Is this a better method than using the destination TCP port as the source port for the return traffic ?