Stateless firewalls
A stateless firewall (or packet filter) evaluates each packet independently against a fixed set of rules based on attributes like source and destination address, port and protocol. It has no memory of previous packets.
This makes stateless filtering extremely fast and lightweight, but also blunt: because it cannot tell whether a packet belongs to an established, legitimate connection, the rule set must be broader and is easier to misconfigure.
Stateful firewalls
A stateful firewall maintains a state table tracking active connections. When it sees a packet, it considers whether that packet is part of an existing, legitimate session — not just whether it matches a static rule.
This connection awareness allows tighter, more accurate rules: you can permit a connection to be initiated in one direction and automatically allow the return traffic, without opening broad bidirectional holes. Virtually all modern enterprise firewalls, including FortiGate, are stateful.
Key differences at a glance
- Inspection: stateless examines packets in isolation; stateful tracks whole connections
- Security: stateful enables tighter, context-aware rules; stateless requires broader rules
- Performance: stateless is lighter; stateful uses more memory for the state table
- Use case: stateless suits simple, high-throughput filtering; stateful suits general security enforcement
Which should you use?
For almost all security enforcement, stateful is the right choice and the modern default — its connection awareness is essential to least-privilege rule design. Stateless filtering still has a place for simple, high-volume tasks like coarse edge ACLs.
Whichever you run, the rules still need review. A stateful firewall makes good configuration possible, but it does not guarantee it — overly permissive stateful rules are just as dangerous, which is why regular firewall review matters regardless of type.