Please enable JavaScript.

Coggle requires JavaScript to display documents.

10.-Zone-Based Policy Firewalls - Coggle Diagram

- - - - Inspect - This performs Cisco IOS stateful packet inspection.
      - Drop - This is analogous to a deny statement in an ACL. A log option is available to log the rejected packets.
      - Pass - This is analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic.
  - - - The rules depend on whether or not the ingress and egress interfaces are members of the same zone:
        
        If neither interface is a zone member, then the resulting action is to pass the traffic.
        
        If both interfaces are members of the same zone, then the resulting action is to pass the traffic.
        
        If one interface is a zone member, but the other is not, then the resulting action is to drop the traffic regardless of whether a zone-pair exists.
        
        If both interfaces belong to the same zone-pair and a policy exists, then the resulting action is inspect, allow, or drop as defined by the policy.
- - - - Zone-based Policy Firewall (ZPF) - The configuration model in which interfaces are assigned to security zones, and firewall policy is applied to traffic moving between the zones.
      - Classic Firewall - The traditional configuration model in which firewall policy is applied on interfaces.
    - - It is not dependent on ACLs.
      - The router security posture is to block unless explicitly allowed.
      - Policies are easy to read and troubleshoot with the Cisco Common Classification Policy Language (C3PL). C3PL is a structured method to create traffic policies based on events, conditions, and actions. This provides scalability because one policy affects any given traffic, instead of needing multiple ACLs and inspection actions for different types of traffic.
      - Virtual and physical interfaces can be grouped into zones.
      - Policies are applied to unidirectional traffic between zones.