Please enable JavaScript.
Coggle requires JavaScript to display documents.
Zone-Based Policy Firewalls, image, image - Coggle Diagram
Zone-Based Policy Firewalls
ZPF Overview
Benefits of a ZPF
There are two configuration models for Cisco IOS Firewall
Classic Firewall
The traditional configuration model in which firewall policy is applied on interfaces.
Zone-based Policy Firewall (ZPF)
The configuration model in which interfaces are assigned to security zones, and firewall policy is applied to traffic moving between the zones.
ZPF Design
Firewall with public servers
Redundant Firewalls
LAN-to-Internet
Complex Firewall
ZPF Operation
Rules for Transit Traffic
Traffic transiting through router interfaces is subject to several rules governing interface behavior.
If both interfaces are members of the same zone, then the resulting action is to pass the traffic.
If neither interface is a zone member, then the resulting action is to pass the traffic.
If one interface is a zone member, but the other is not, then the resulting action is to drop the traffic regardless of whether a zone-pair exists.
If both interfaces belong to the same zone-pair and a policy exists, then the resulting action is inspect, allow, or drop as defined by the policy.
Rules for Traffic to the Self Zone
The self zone is the router itself and includes all of the IP addresses assigned to the router interfaces. This is traffic that originates at the router or is addressed to a router interface. Specifically, the traffic is either for device management, for example SSH, or traffic forwarding control, such as routing protocol traffic. The rules for a ZPF are different for the self zone.
ZPF Actions
Policies identify actions that the ZPF will perform on network traffic. Three possible actions can be configured to process traffic by protocol, source and destination zones (zone pairs), and other criteria.
Drop - This is analogous to a deny statement in an ACL. A log option is available to log the rejected packets.
Pass - This is analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic.
Inspect - This performs Cisco IOS stateful packet inspection.
Configure a ZPF
The topology shown in the figure will be used throughout the remainder of this topic to demonstrate ZPF configuration. The sequence of steps is not required. However, some configurations must be completed in order. For instance, you must configure a class-map before you assign a class-map to a policy-map. Similarly, you cannot assign a policy-map to a zone-pair until you have configured the policy. If you try to configure a section that relies on another portion of the configuration that you have not yet configured, the router responds with an error message.
Step 1: Create the zones.
Step 2: Identify traffic with a class-map.
Step 3: Define an action with a policy-map.
Step 4: Identify a zone pair and match it to a policy-map.
Step 5: Assign zones to the appropriate interfaces
