User guide

Check Point Stateful Inspection Technology

Chapter 2: The ZoneAlarm Firewall 15

• Date and time of packet arrival or departure

The ZoneAlarm firewall examines IP addresses, port numbers, and any other information

required. It understands the internal structures of the IP protocol family and applications,

and is able to extract data from a packet's application content and store it, to provide

context in cases where the application does not provide it. The ZoneAlarm firewall also

stores and updates the state and context information in dynamic tables, providing

cumulative data against which it inspects subsequent communications.

The Stateful Inspection Advantage - Passive FTP

Example

In order to discuss the strength of Stateful Inspection technology in comparison to the

other firewall technologies mentioned, we will examine the Passive FTP protocol and the

ways that firewalls handle Passive FTP traffic pass-through.

FTP connections are unique, since they are established using two sessions or channels: one

for command (AKA control) and one for data. The following table describes the steps of

establishing a Passive FTP connection, where:

• C is the client port used in the command session,

• D is the client port used in the data session, and

• P is the server port used in the data session.

Table 6: Establishment of Passive FTP Connection

Step Channel

Type

Description Source TCP

Source

Port

Destination TCP

Destination

Port

1 CMD Client initiates a

PASV command to

the FTP server on

port 21

FTP

client

C >

1023

FTP server 21