Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5019
Views
3
Helpful
1
Replies

SGACL state-less / stateful?

Go to solution
rmueller@cisco.com
Cisco Employee
Cisco Employee

‎06-29-2018 07:52 AM - edited ‎03-11-2019 01:44 AM

Hi all,

to my knowledge, SGACLs are normally statless, which means that I have to explictly allow return traffic in cases where SGACLs are used.

Are there any devices (besides ASA/FTD) which are stateful when using SGACLs?

Roland

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎06-29-2018 08:22 AM

Hi Roland,

all devices downloading SGACLs from ISE are stateless (switches, routers, AP's via WLC).

As you say, firewalls offer stateful inspection but they use SGFW rules, they don't download SGACLs from ISE.

Routers can offer stateful operation while using SGT's in zone based firewall setup but again, SGACLs are not downloaded for this function.

View solution in original post

1 Reply 1

Go to solution
jeaves@cisco.com
Cisco Employee
Cisco Employee

‎06-29-2018 08:22 AM

Hi Roland,

all devices downloading SGACLs from ISE are stateless (switches, routers, AP's via WLC).

As you say, firewalls offer stateful inspection but they use SGFW rules, they don't download SGACLs from ISE.

Routers can offer stateful operation while using SGT's in zone based firewall setup but again, SGACLs are not downloaded for this function.

Customers Also Viewed These Support Documents