ASA5505 has a feature of "Stateless Active/standby" HA? What is the meant of stateless? And what is the meant of "stateful firewall". Thanks
To answer the 2nd part of your question.
A stateful firewall keeps track of the "state" of connections based on source/destination IP, source/destination port and connections flags. It can really only keep state for TCP connections because TCP uses flags in the packet headers. eg
When a client telnets to a server.
Client address = 192.168.5.1
Server address = 172.16.5.2
The client picks a random port eg 33212 and sends a packet to the server
source IP = 192.168.5.1
source port = 33212
destination IP = 172.16.5.2
destination port = 23 ( 23 is telnet port )
TCP Flag = SYN
source IP = 172.16.5.1
source port = 23
destination IP = 192.168.5.1
destination port = 33212
TCP FLAG = SYN/ACK
Same as original client packet except
TCP FLAG = ACK
The above is called the TCP 3 way handshake.
Now lets say there is a stateful firewall in between the client and the server.
When the firewall sees the initial packet from the client it records all the info above.
When the server responds the firewall looks up it's state table to see if it has a matching entry for the connection and finds it does. What's more because the firewall expects to see a SYN/ACK from the server because it recorded a SYN from the client. So the packet is allowed.
Now lets say the client hasn't sent an intital packet and the server sent a packet with the same info as above. The TCP FLAGS are SYN/ACK but the firewall has no record of a SYN packet sent from the client. So the packet is dropped.
In essence this is how stateful firewalls work . They keep track of each connection and allow the traffic to flow through only if there are corresponding entries in it's state table.
For non-TCP protocols eg UDP there are no flags so the stateful firewall sets a timer ie. if it sees a DNS query go out it records the IP source/destination and the Port source/destination. If within a certain amount of time a packet is received back with the same IP'S and port number, although obviously the source and destination are flipped, the packet is allowed through.
Hope this makes sense