Which of the following statements is true regarding stateful firewalls? (Select the best answer.)
Their primary purpose is to hide the source of a network connection.
They operate at the Application layer of the OSI model.
They allow traffic into a network only if a corresponding request was sent from inside the network.
They can block traffic that contains specific web content.
Stateful firewalls allow traffic into a network only if a corresponding request was sent from inside the network. A
stateful firewall makes filtering decisions based on previous packets that have been sent. It does so by keeping
track of the state of each session. When an outbound session is initiated, the stateful firewall will create an
entry in the firewall’s state table and dynamically allow the return traffic in the inbound direction. Inbound traffic
from other sources will be blocked unless there is a corresponding outbound session listed in the state table.
Stateful firewalls are more secure than packet filtering firewalls, which make filtering decisions based on each
packet individually without regard to session state.
The primary purpose of a stateful firewall is not to hide the source of a network connection. If you want to hide
the source of a network connection, you should use a proxy firewall or implement Network Address Translation
(NAT) or Port Address Translation (PAT). A proxy firewall terminates the connection with the source device and
initiates a new connection with the destination device, thereby hiding the true source of the traffic. When the
reply comes from the destination device, the proxy firewall forwards the reply to the original source device. NAT
is used to translate private addresses used on an internal network to public addresses that are routable over
the Internet. Because NAT performs address translation between private and public addresses, NAT effectively
hides the address scheme used by the internal network, which can increase security. NAT also reduces the
number of public IP addresses that a company needs to allow its devices to access Internet resources, thereby
conserving IP version 4 (IPv4) address space.
Stateful firewalls do not operate at the Application layer of the Open Systems Interconnection (OSI) model. Both
stateful firewalls and packet filtering firewalls operate at the Network layer and the Transport layer of the OSI
model. Stateful firewalls and packet filtering firewalls do not understand Application layer data, so they cannot
filter traffic based on that data. For example, a stateful firewall cannot block traffic that contains specific web
content, because the stateful firewall does not understand Hypertext Transfer Protocol (HTTP) data.
CCNA Security 210260 Official Cert Guide, Chapter 14, Stateful Packet Filtering, pp. 363-364