A stateful firewall, such as a FortiGate, controls TCP sessions by maintaining a state table. When the first packet of a new session (a TCP SYN packet) arrives, the firewall creates a session entry. It then monitors the TCP flags to track the connection's state through the three-way handshake (SYN, SYN-ACK, ACK) and termination (FIN/RST). Concurrently, the firewall validates the TCP sequence numbers of subsequent packets to ensure they fall within the expected window for that session. This combined inspection of both flags and sequence numbers allows the firewall to verify that each packet is a legitimate part of an established conversation, thereby preventing out-of-state packets and session hijacking attacks.

A. TCP ack numbers are only one part of the validation process and are always checked in conjunction with sequence numbers and flags, not used alone to control the session.

B. TCP source ports are used to identify a specific session (as part of the 5-tuple), but they do not govern the state or progression of the session itself.

C. TCP destination ports are used to identify a specific session (as part of the 5-tuple), but they do not govern the state or progression of the session itself.

1. Fortinet NSE 4 - FortiGate Infrastructure 7.2 Study Guide

Chapter: Firewall Policies

Section: "Session Table"

Page 41: "FortiGate is a stateful firewall... For TCP

FortiGate also checks the TCP state. For example

if FortiGate receives a TCP packet with the ACK flag set

but there is no existing session for that packet

FortiGate drops it." This confirms the use of TCP flags for state control.

2. Fortinet NSE 4 - FortiGate Infrastructure 7.2 Study Guide

Chapter: Firewall Policies

Section: "TCP Session Helpers"

Page 43: "FortiGate tracks TCP sessions by checking the sequence numbers in each packet." This confirms the use of TCP sequence numbers for session validation.

3. RFC 793: Transmission Control Protocol

Section 3.3: Sequence Numbers

and Section 3.4: Establishing a Connection. This foundational document details how TCP uses flags (SYN

ACK) and initial sequence numbers to establish and maintain a connection's state

which is the very logic a stateful firewall must enforce.

4. Piscitello

D. & Chapin

A. L. (1993). Open Systems Networking: TCP/IP and OSI. Addison-Wesley. In discussions on stateful packet filtering

the text explains that firewalls must track the TCP connection state machine

which is fundamentally defined by the exchange of control flags (SYN

FIN

etc.) and the validation of sequence numbers to ensure session integrity.