TCP is a connection-oriented protocol. When a session from a more secure host inside the security appliance is started, the security appliance creates an entry in the session state filter. The security appliance is able to extract network sessions from the network flow and actively verify their validity in real time.
When a TCP session is established over the security appliance, the following happens:
Step 1 The first IP packet from an inside host causes the generation of a translation slot. The embedded TCP information is then used to create a connection slot in the security appliance.
Step 2 The connection slot is marked as embryonic (not established yet).
Step 3 The security appliance randomizes the initial sequence number of the connection, stores the delta value, and forwards the packet onto the outgoing interface. The security appliance now expects a synchronization-acknowledgment (SYN-ACK) packet from the destination host. Then the security appliance matches the received packet against the connection slot, computes the sequencing information, and forwards the return packet to the inside host.
Step 4 The inside host completes the connection setup, the three-way handshake, with an ACK.
Step 5 The connection slot on the security appliance is marked as connected, or activeestablished, and data is transmitted. The embryonic counter is then reset for this connection.