What is ZBPF?

--> Zone-Based Policy Firewall allows you to configure stateful firewall implementation on IOS Routers.

--> Supports deep packet inspection.

--> Zone-Based Policy Firewall works on the concept of logical security zones.

--> Security Zones is a logical segmentation of the network and it can be of two types,

1) System-defined Zone: Self Zone ( cannot be changed or deleted)

--> Responsible for the traffic destined to the router or initiated by the router.

--> Management plane or control plane traffic.

--> Allowed from any user-defined zone to system defined zone.

--> This behavior can be changed with the help of Policy.

2) User-defined Zone

--> Can be created or deleted by the administrator.

--> Traffic Passing via the router.

--> Each and every zone can have one or more interfaces attached to it.

--> By default, traffic within the same zone is allowed and traffic between two different zones is

blocked.

--> Firewall policies are built between security zones.

--> Zone-Based Policy firewall configuration is done based upon Cisco Common Classification
Policy Language.



Steps:

1) Create Security Zones

Router(config)# zone security Inside

Router(config)# zone security Outside

2) Assign Security Zones on the Interfaces.

Router(config)# int fa0/0

Router(config-if)# Zone-member security Inside

Router(config)# int fa0/1

Router(config-if)# Zone-member security Outside

Note: Configuring security zones on Interfaces creates the issues in the production network, as the

traffic between two different zones is blocked by default.

3) specify the traffic that to be inspected by the firewall with the help  of class maps ( Layer 4 

class maps uses ACL for traffic classification, Layer 7 for deep inspection)


Router(config)# Class-map type inspect matchany allowhttpaccess


Router(config)# match protocol http


Router(config)# exit


4) Configure the policy map to apply the action on the traffic that is matched using class map.

Router(config)# policy-map type inspect allowhttpaccess


Router(config)# class type inspect allowhttpaccess


Router(config)# inspect


Router(config)# exit


Note: Policy map actions are divided into following types,

1) Inspect -- Allow the connection and create entry in the state table of the router.

2) Allow -- Allow the connection but does not creates entry in the state table of the router.

3) Drop -- Block the connection.

4) Log-log the packets in allow/drop actions.

5) Police -- Traffic Policing the packets.


5) Create a Zone pair to apply the firewall policy which is created.

Router(config)# zone-pair security InsidetoOutside source Inside destination Outside

Router(config)#service-policy type inspect allowhttpaccess

Router(config)#exit

Verification : 

# show policy-map type inspect zone-pair InsidetoOutside

# show zone security

# show policy-firewall config zone

# show zone-pair security

Md.Kareemoddin

CCIE # 54759

0 Comments