08-09-2017 01:10 AM
I am configuring vRouter 5600 (5.2R5) , especcialy Interface-based firewall.
I have heard of specification change regarding stateful firewall from Release 5.1
(The vRouter with the stateful firewall feature enabled globally doesn't generate accept rules automatically for the return packets which arrive at outside interface)
I have a question about the firewall configuration to permit traffic initiated by vRouter itself.
(such as NTP, dns lookup, icmp, ssh login to other routers)
When above types of communications are issued , they bypass "local" firewall and "in" firewall, then the return packets are dropped by
"local" firewall or "in" firewall.
If I added accept rules for the return packets, these traffics come to not to be dropped, but I want to avoid this configuration because it's complicated.
Is it possible to configure firewall to accept return packets without adding accept rules ?