Zone-Based Policy Firewall changes the firewall configuration from the older interface-based model to a more flexible, more easily understood zone-based model. Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones. Inter-zone policies offer considerable flexibility and granularity, so different inspection policies can be applied to multiple host groups connected to the same router interface.
Note: Cisco has a self-Zone that service to traffics terminate in the control plane. These traffics are permitted by default if you don’t have any CoPP or CPPr policy.
When you implement ZBF, you can select 4 deferent action in your policies:
Inspection: It writes traffic information in state table and forward traffic.
Pass: It forwards traffic in state table without writing their information in state table.
Drop: It drops traffic
Log: It logs traffic.
ZBF Configuration Steps:
! Making Security zones:
R1(config)#zone security LOCAL-ZONE
R1(config)#zone security WAN-ZONE
! Assign interfaces to zones
R1(config)#interface fastEthernet 0/0
R1(config-if)#Zone-member security LOCAL-ZONE
R1(config)#interface fastEthernet 0/1
R1(config-if)#zone-member security WAN-ZONE
! Selecting traffic with ACL
R1(config)#ip access-list extended LOCAL-WAN
R1(config-ext-nacl)#permit ip any any
! Making inspection class-map
R1(config)#class-map type inspect match-all LOCAL-WAN-CLASS
R1(config-cmap)#match access-group name LOCAL-WAN
R1(config-cmap)#match protocol ftp
! Making policy map
R1(config)#policy-map type inspect LOCAL-WAN-POLICY
R1(config-pmap)#class type inspect LOCAL-WAN-CLASS
R1(config-pmap-c)#inspect
! Making zone-pairs to handle traffics
R1(config)#zone-pair security LOCAL-WAN-PAIR source LOCAL-ZONE destination WAN-ZONE
R1(config-sec-zone-pair)#service-policy type inspect LOCAL-WAN-POLICY
! ZBF verification
R1#show zone security
zone self
Description: System defined zone
zone LOCAL-ZONE
Member Interfaces:
FastEthernet0/0
zone WAN-ZONE
Member Interfaces:
FastEthernet0/1
R1#show class-map type inspect
Class Map type inspect match-all LOCAL-WAN-CLASS (id 1)
Match access-group name LOCAL-WAN
Match protocol ftp
!
R1#show policy-map type inspect
Policy Map type inspect LOCAL-WAN-POLICY
Class LOCAL-WAN-CLASS
Inspect ERROR
Class class-default
!
R1#show zone-pair security
Zone-pair name LOCAL-WAN-PAIR
Source-Zone LOCAL-ZONE Destination-Zone WAN-ZONE
service-policy LOCAL-WAN-POLICY
R1#show policy-map type inspect zone-pair
Zone-pair: LOCAL-WAN-PAIR
Service-policy inspect : LOCAL-WAN-POLICY
Class-map: LOCAL-WAN-CLASS (match-all)
Match: access-group name LOCAL-WAN
Match: protocol ftp
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last session created never
Last statistic reset never
Last session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
R1#show policy-map type inspect zone-pair sessions
Zone-pair: LOCAL-WAN-PAIR
Service-policy inspect : LOCAL-WAN-POLICY
Class-map: LOCAL-WAN-CLASS (match-all)
Match: access-group name LOCAL-WAN
Match: protocol ftp
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes