A stateful firewall is a firewall that assesses the state and context of active network connections. Also known as dynamic packet filters, stateful firewalls gather information that determines whether or not to allow packets across the network boundary.

Stateful firewalls operate at Open Systems Interconnection layers 3 and 4 (the Network and Transport layers of the OSI model). They work well with TCP and UDP protocols, filtering web traffic entering and leaving the network. And they deliver much more control than stateless firewall tools. As a result, stateful firewalls are a common and effective cybersecurity solution.

How does a stateful firewall work?

When we talk about how stateful inspection works, the two key concepts are state and context.


"State" refers to information about the status of data packets. With TCP, this includes SYN, ACK, and FIN flags. Firewalls identify status markers and store state information in regularly updated tables. The firewall then uses this information to compare the state of active network connections. It actively assesses where the request is safe, and whether to allow network access.


"Context" refers to information about the origin and identity of data packets. This could include Internet Protocol (IP) addresses, sequence codes, destination addresses, and port data. Stateful inspection stores this metadata in tables. The firewall combines it with state information to create a detailed profile for each connection request.

Stateful firewalls gather data about all active connections. The firewall assesses incoming packets by comparing them with stored information. If the information on the packet matches a safe profile definition, the firewall will approve the transfer.

Stateful firewalls also apply packet inspection for incoming traffic. Packet inspection looks inside each packet to assess the contents. If the packet contains malicious code, the firewall blocks access. The firewall also compares current transfers with previous transmissions on the same network. This provides extra context to decide whether to block or admit traffic.

The way stateful firewalls work differs slightly depending on the protocol being used:

Transmission Control Protocol (TCP)

TCP is both a stateful protocol and a connection-oriented protocol. Each packet comes with detailed state information, making the task of the firewall easier. The firewall operates throughout the TCP handshake process. It logs state information from the first SYN command to the FIN operation to conclude the TCP session. This provides a comprehensive profile of the transfer during data transmission.

File Transfer Protocol (FTP)

FTP is also a stateful protocol. Firewalls log data from the control channel. This verifies whether the FTP request is valid and includes data like the source and destination of file transmissions. The firewall applies packet inspection to the data channel during file transfers, screening traffic for suspicious content.

User Datagram Protocol (UDP) or HTTP

Other protocols like UDP and HTTP are stateless. This means packets carry less information. But the firewall can still utilize contextual information about ports, IP addresses, and device profiles. In this case, firewall protection is deemed to be "pseudo-stateful." Nevertheless, stateful inspection delivers greater control and security than stateless alternatives.

Stateful vs. stateless firewalls

Stateful firewalls emerged as a development from stateless firewalls. The two types have co-existed since the 1990s, and there is still a case for using stateless versions in some situations. So it's important to know how the two types work and their respective strengths and weaknesses.

What is a stateless firewall?

Stateless firewalls apply rule sets to incoming traffic. These rules define legitimate traffic. If data conforms to the rules, the firewall deems it safe. Packets can therefore pass into (or away from) the network.

While stateful firewalls analyze traffic, stateless firewalls classify traffic. This is a less precise way of assessing data transfers. Even so, a quick comparison of the two firewall types shows that stateless versions have some important use cases.

Comparison table of Stateful firewalls vs Stateless firewalls

Stateful firewalls

  • Use packet inspection to determine the type of traffic and packet contents. This delivers greater certainty when admitting or denying access.

  • Stores information from every access request in stateful tables. This information provides context to inform future decisions.

  • Can be vulnerable to DDoS or other attacks involving floods of malicious data.

  • Rely on single locations to process access requests. This can make stateful firewalls a less flexible solution.

  • Extra functionality can result in higher costs, although the cost of stateful firewalls decreases all the time.

  • Generally offer greater security protection. Deep packet inspection and contextual data catch more threats before they can damage network assets.

Stateless firewalls

  • Cannot separate different traffic types. This firewall type can only "see" surface information on each packet. They cannot tell whether transfers use HTTP, FTP, or SSH protocols.

  • Do not store any information about access requests and assess packets individually. Firewall protection applies no contextual information when handling data.

  • Perform well with high traffic volumes due to basic processes. Less vulnerable to DDoS attacks.

  • No single location. Firewalls can operate across different servers with ease.

  • Generally cost-effective. Potentially well-suited to small business needs.

  • Potentially less secure. Stateless firewalls may admit malicious traffic due to their basic inspection capabilities.

Put simply, stateful firewalls provide in-depth control and granular security. Stateless firewalls are simple and lightweight. But they create a less robust barrier between network assets and external threats.

What is stateful inspection in networking?

The final aspect of stateful firewalls to consider is how they fit into practical network contexts.

The most important capability here is stateful inspection or dynamic packet filtering. This involves inspecting every data packet entering the network to verify its identity and contents. Stateful filtering is dynamic. It learns from previous transfers and uses contextual data to make future decisions more accurate.

Stateful inspection contrasts with static packet filtering. Static inspection can only assess packet headers or information like the source and destination of packets. It can admit or deny requests if packets breach predefined rules, but stateful inspection provides much more detail. In most cases this results in a greater degree of network security.