Every inbound packet is inspected against the adaptive security algorithm and the connection state information to decide whether to allow or deny the packet. Like the PIX and ASA Security Appliance, a stateful firewall checks the state of a packet as follows:
If the arriving packet is part of a new connection, the Adaptive Security Algorithm checks the packet against access lists and performs other routine tasks (such as route lookup) to determine whether the packet is allowed or denied. The session management path is responsible for performing the following:
Perform the access list checks
Perform route lookups
Allocate NAT translations (xlate table)
Establish the session in the "fast path"
Packets are further passed to the control plane path to examine the payload for application-level (Layer 7) inspection.
Is this an established connection?
If the arriving packet is part of an existing connection, the Adaptive Security Algorithm does not reexamine the packet, and matching packets in the established connection table can go through the fast path in both directions. The fast path is responsible for performing the following checks:
IP checksum verification
Session lookup
TCP sequence number check
NAT translations based on existing sessions
Layer 3 and Layer 4 header adjustments
In some instances, established session packets must continue to go through the session management path or the control plane path for protocols that require Layer 7 inspection. For example, HTTP packets requiring content filtering need to go through the session management path.