Showing results for 
Search instead for 
Did you mean: 

Understanding Inspection

Trey Grun

I've never seen it in black and white, but my interpretation of "inspection" of traffic through a firewall is the concept of flows being continuously examined for statefulness.  I suppose I need to define my understanding of statefulness as the maintenance of knowledge of tcp flows relative to sequence information.  Of course I'm not sure how inspection works for connectionless protocols like icmp or udp...

Anyway,  my understanding that 'inspection' should be non-impacting has been challenged by attempts to implement the default inspection policy on an ASA on two occasions.  On both occasions, implementation of the policy has stopped all HTTP traffic through the device, and the most recent application of the policy stopped pretty much all traffic.  I'd paste the default policy that was created here for review, but understandably I had to remove it from the device, but can assure you that both http and icmp were included in the policy.

If it helps, I tried to get some understanding by reviewing a couple other threads - like this one:

There was another thread that outlined creating policies for specific http traffic, but I figure that's not really what we need since the problem is that the default inspection policy cuts down all traffic.

Am I wrong to expect that the default inspection should not stop all traffic for the protocol being inspected?

5 Replies 5