Zone Based Firewall Quick TIps

Quick Tips 8/4/09–Zone based firewalls.

Zone based firewalls are incredibly flexible, but with flexibility comes complexity.

When inspecting, there is a process that is used to determine what type of inspection should be performed on a flow.

When inspecting keep in mind how the match will influence the inspection.  When a flow is analyzed against the class-map, it will be inspected based on what criteria is matched when there is enough information to arrive at a positive match.

match only access-group — inspect based on PAM table

match not protocol — inspect based on PAM table

match protocol tcp — inspect tcp even if a L7 inspect exist

If there is only an acl, the inspection will be done based on the PAM table.  If no PAM entry exists, a generic L3/L4 inspection will be performed.

If there is a PAM entry, it will be inspected based on the entry.  For example, tcp port 80 would be inspected as http.

If the match statement that is positive in the class-map is a l3/l4 entry, it will use the inspection that matches the match statement.  For example, match tcp will result in tcp/80 traffic being inspected only to layer 4 (tcp).

An entry of “match not protocol” does not yield protocol information and thus would go to the PAM table for inspection, unless there is more criteria to be matched and it results in protocol information.

ip inspect log drop-pkt–this command has always been your friend.  However in ZBF, I would say this is even more important.  It yields very good information for locating where traffic is dropped.

I hate aliases in general.  However in ZBF it will save a lot of time to use this one–

alias exec pzp show policy-map inspect zone-pair

show policy-map type inspect zone-pair sessions = show ip inspect sessions

You can still use access-list to quickly block a host.  Don’t forget the implicit deny after the last ACE.  Outbound acl’s are appliead after ZBF, inbound acl’s are applied before ZBF.

To inspect traffic to or from the router, use the self zone.  After a policy is attached to the self zone, all traffic that is required must be permitted.

A good presentation on ZBF can be found here .

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.