Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 10. Zone-Based Policy Firewalls - Coggle Diagram
Module 10. Zone-Based Policy Firewalls
ZPF Overview
There are two configuration models for Cisco IOS Firewall
Classic Firewall
The traditional configuration model in which firewall policy is applied on interfaces.
Zone-based Policy Firewall (ZPF)
The configuration model in which interfaces are assigned to security zones, and firewall policy is applied to traffic moving between the zones.
ZPF Design
Designing ZPFs involves several steps:
Step 2. Establish policies between zones
Step 3. Design the physical infrastructure
Step 1. Determine the zones
Step 4. Identify subsets within zones and merge traffic requirements
examples of ZPF designs.
Redundant Firewalls
LAN-to-Internet
Firewall with public servers - 1
Firewall with public servers - 2
Complex Firewall
Configure a ZPF
The topology shown in the figure will be used throughout the remainder of this topic to demonstrate ZPF configuration. The sequence of steps is not required. However, some configurations must be completed in order. For instance, you must configure a class-map before you assign a class-map to a policy-map. Similarly, you cannot assign a policy-map to a zone-pair until you have configured the policy. If you try to configure a section that relies on another portion of the configuration that you have not yet configured, the router responds with an error message.
Zone-Based Policy Firewall Configuration Steps
Step 1:
Create the zones.
The first step, is to create the zones. However, before creating the zones answer a few questions:
What interfaces should be included in the zones?
What will be the name for each zone?
What traffic is necessary between the zones and in which direction?
Step 3:
Define an action with a policy-map.
The third step is to use a policy-map to define what action should be taken for traffic that is a member of a class. The example below shows the command syntax to configure a policy-map. An action is a specific functionality. It is typically associated with a traffic class. For example, inspect, drop, and pass are actions.
R1(config)# policy-map type inspect policy-map-name
R1(config-pmap)# class type inspect class-map-name
R1(config-pmap-c)# {inspect | drop | pass}
Step 5:
Assign zones to the appropriate interfaces.
The fifth step is to assign zones to the appropriate interfaces. Associating a zone to an interface will immediately apply the service-policy that has been associated with the zone. If no service-policy is yet configured for the zone, all transit traffic will be dropped. Use the zone-member security command to assign a zone to an interface, as shown in the example below.
Router(config-if)# zone-member security zone-name
Step 2:
Identify traffic with a class-map.
A class is a way of identifying a set of packets based on its contents using “match” conditions. Typically, you define a class so that you can apply an action to the identified traffic that reflects a policy. A class is defined with class-maps.
Router(config)# class-map type inspect [match-any | match-all] class-map-name
Step 4:
Identify a zone pair and match it to a policy-map.
The fourth step is to identify a zone pair and associate that zone pair to a policy-map. The example below shows the command syntax. Create a zone-pair with the zone-pair security command. Then use the service-policy type inspect command to attach a policy-map and its associated action to the zone-pair.
Router(config)# zone-pair security zone-pair-name source {source-zone-name | self} destination {destination-zone-name | self}
Router(config-sec-zone-pair)# service-policy type inspect policy-map-name
ZPF Configuration Considerations
When configuring a ZPF with the CLI, there are several factors to consider:
The router never filters the traffic between interfaces in the same zone.
An interface cannot belong to multiple zones. To create a union of security zones, specify a new zone and appropriate policy map and zone pairs.
ZPF can coexist with Classic Firewall although they cannot be used on the same interface. Remove the ip inspect interface configuration command before applying the zone-member security command.
Traffic can never flow between an interface assigned to a zone and an interface without a zone assignment. Applying the zone-member configuration command always results in a temporary interruption of service until the other zone-member is configured.
The default inter-zone policy is to drop all traffic unless otherwise specifically allowed by the service-policy configured for the zone-pair.
The zone-member command does not protect the router itself (traffic to and from the router is not affected) unless the zone- pairs are configured using the predefined self zone.
ZPF Operation
Rules for Transit Traffic
The rules depend on whether or not the ingress and egress interfaces are members of the same zone:
If neither interface is a zone member, then the resulting action is to pass the traffic.
If both interfaces are members of the same zone, then the resulting action is to pass the traffic.
If one interface is a zone member, but the other is not, then the resulting action is to drop the traffic regardless of whether a zone-pair exists.
If both interfaces belong to the same zone-pair and a policy exists, then the resulting action is inspect, allow, or drop as defined by the policy.
ZPF Actions
Pass
This is analogous to a deny statement in an ACL. A log option is available to log the rejected packets.
Drop
This performs Cisco IOS stateful packet inspection.
Inspect
This is analogous to a permit statement in an ACL. The pass action does not track the state of connections or sessions within the traffic.
Rules for Traffic to the Self Zone
The self zone is the router itself and includes all of the IP addresses assigned to the router interfaces. This is traffic that originates at the router or is addressed to a router interface. Specifically, the traffic is either for device management, for example SSH, or traffic forwarding control, such as routing protocol traffic. The rules for a ZPF are different for the self zone. For the self zone traffic example, refer to the topology shown in the previous figure.
