How Would You Test Stateful Firewall Rules?

Stateful firewalls are becoming more and more popular as hackers grow increasingly savvy about circumventing traditional perimeter defenses. Stateful is a firewall that updates its rules based on traffic flow and can be very effective in stopping attacks.

What Is The Best Way To Test A Firewall?

Port Scanners

Using a packet analyzer is probably the best way to test firewall rules. However, it can be time-consuming and difficult if you don’t have any programming skills. If not done correctly, port scanners miss open ports because they are looking for closed ports or random open ports, whereas a Stateful firewall knows which port should be allowed outbound from the internal network.

Packet Analyzer

The best way to use a packet analyzer is to set up the server on an internal system, configure it with services that are running but not open at all times so you can monitor access, and then try opening ports from outside of the firewall. This will give you insight into whether or not your rules are allowing communication between systems.


Wireshark is a free packet analyzer, allows you to see all of the traffic on your network regardless of what type it is, whether TCP/IP or UDP/IP, and any protocols being used such as IPX, ICMP, etc. This makes Wireshark a great tool to use in addition to port scanners.


This is a port scanner that can use to easily test firewall rules. NMAP has many features, including OS detection, service identification, and the ability to scan multiple hosts at once. However, these are all passive scans that don’t affect intrusion prevention systems (IPS). Some users can get confused between a Wireshark and an NMAP. Check out our article to see the difference between Wireshark and NMAP.


Netcat is a tool that can be used to test firewall rules. It’s a highly versatile program with many uses, some of which are trying outbound connectivity and checking for open ports on multiple hosts simultaneously without port scanners or other tools.

Forceful Scan

A forceful scan will try opening every single possible TCP/IP port. You can use it to test firewall rules. It’s probably the most effective way of seeing what ports are open, but it will leave a big fingerprint on your network, and many firewalls may flag this as an attack.

When Does A Packet Go Through A Firewall?

Suppose the firewall is configured to allow packets inbound on a specific port, in that case, it will let all of them come in as long as they are part of an existing connection, i.e., keep-alive or an attempt for new links, e.g., a unique connection to a web server. The packet will go through the firewall when it reaches its destination, not before.

When it comes to testing rules, the packet analyzer is probably best because of its ability to monitor all types of traffic and protocols on your network regardless if they are part of a current communication session or not. However, this type of test could potentially affect firewall performance depending on how much bandwidth you use when scanning.

Preventions Against Firewall Attacks

  • Ensure your firewall is configured to use an interface or zone for inbound traffic
  • Configure the firewall with a rule only allowing communication from trusted internal systems
  • Be sure to monitor logs and alerts on your firewall, intrusion prevention system (IPS), network access control lists (NACLs), and web application firewalls. This can give you insight into any rules that may be missing or redundant.
  • Limit the number of ports and protocols your firewall allows by default so it can prevent any traffic that is not approved from being allowed through before an administrator configures specific rules for them
  • Do not allow packets inbound on a specific port but outbound traffic. This will prevent any type of attack that tries to exploit your firewall rules, e.g., spoofing.
  • Monitor logs and alerts for changes in behavior that may indicate an attack, misconfiguration, or redundant rule(s) is/are in place.
  • Limit traffic from known wrong sources such as the internet to only those systems that are required. This will prevent your network from being used as a springboard for other attacks on internal networks and critical data stores.
  • Block “scan” type firewall rules at the edge of your network where it is easier to control access by managing ACLs (access control lists). This will prevent your firewall from being used as a tool for surveillance and the discovery of critical information.

How does Stateful Packet Inspection Work On A Firewall?

Stateful packet inspection works by tracking the state of sessions. When a session is created, it creates an entry in memory which states where the traffic should be sent and what ports to use for that session, i.e., if TCP packets are being used then either port 80 or 443 may be opened depending on what type of protocol is being used, these are known as ephemeral ports. Packets are sent through the firewall. It tracks their progress by monitoring both stateless and connection-oriented protocols.

Suppose the firewall receives traffic that is part of an existing session. In that case, it will allow those packets through if they are from a trusted source, e.g., another system on your network or the packet analyzer you’re using to test outbound connectivity and open port rules. Stateful inspection monitors both inbound and outbound traffic.

Stateful packet inspection is a more secure way of inspecting packets because it tracks the state of sessions and allows only trusted sources to communicate through your firewall. It can be used with routing protocols such as dynamic routing, static routes, or policy-based routing to create rules that put devices into different security zones, e.g., trusted versus untrusted.


Stateful packet inspection is a more secure way of inspecting packets because it tracks the state of sessions and allows only trusted sources to communicate through your firewall. When testing firewall rules, it is a good idea to use the packet analyzer first because of its ability to monitor all types of traffic and protocols on your network, which could potentially affect firewall performance. However, it is probably best to use the packet analyzer because this type of test will give you insight into whether your rules allow communication between systems.

Recent Posts