Policy rule is not stateful !?

in a context of AOS8 core switch doing level 3 routing I have to push the ACLs (policy rules) to the maximum restrictions. The goal is to have the most precise rules possible with traffic blocking by default.
With my tests I realize that the ACLs are not stateful ! :tired_face:
Example of a workstation needing to connect to a server :

qos enable

policy network group PC
policy network group SRV

policy action ACCEPT
policy action DENY disposition deny

policy condition C_ANY-ANY source ip Any destination ip Any
policy rule "DENY C_ANY-ANY" precedence 200 condition C_ANY-ANY action DENY

policy condition C_ARP ethertype 0x806
policy rule "ACCEPT_ARP" precedence 1000 condition C_ARP action ACCEPT

policy condition C_PC_SRV source network group PC destination network group SRV
policy rule "ACCEPT C_PC_SRV" precedence 1000 condition C_PC_SRV action ACCEPT

qos apply

=> no connection

policy condition C_SRV_PC source network group SRV destination network group PC
policy rule "ACCEPT C_SRV_PC" precedence 1000 condition C_SRV_PC action ACCEPT
qos apply

=> ok connection
Going further I could authorize with 2 rules (with SSH connection for example):
1/ PC → SRV:22 (request)
2/ SRV:22 → PC (response)

but it’s super complicated to set up in a complex network!!!
Is there a method to enable stateful mode (no need to handle/allow response when request is allowed)? :roll_eyes:

thanks by advance !


Unlike firewall rules which are stateful, ACLs are stateless. For TCP traffic there’s the “established” option that can check if this flag is set on return traffic.

so for TCP connections it is enough to add “established” option for the policy conditions of the return traffic ? I will test…
Is this a better method than using the destination TCP port as the source port for the return traffic ?