Zone Based Firewall
Share this page:Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Zone-Based Policy Firewall
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html
To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration.
STEP 1> Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else:
(config)#class-map type inspect match-any OUTSIDE
(config-cmap)#match protocol http
**(config-pmap)#class type inspect OUTSIDE **
(config-pmap-c)#drop
STEP 2> Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:
(config)#policy-map type inspect OUTSIDE_POLICY
(config-pmap)#class OUTSIDE
(config-pmap-c)#inspect ?
** WORD Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection**
**
**(config-pmap-c)#inspect**
STEP 3> Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:
(config)#zone security DMZ
(config-if)#zone-member security DMZ
(config)#zone security OUTSIDE
(config-if)#zone-member security OUTSIDE
STEP 4> Set the POLICIES between each ZONE PAIR:
(config)#zone-pair security OUT-to-DMZ source OUTSIDE destination DMZ
(config-sec-zone-pair)#service-policy type inspect OUTSIDE_POLICY
#show policy-map type inspect zone-pair session
policy exists on zp OUT-to-DMZ
Zone-pair: OUT-to-DMZ
Service-policy inspect : OUTSIDE_POLICY
Class-map: INSIDE (match-any)
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example:
(config)# parameter-map type inspect eng-network-profile
(config-profile)# tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION