Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Application Inspection of ZBF Router

Hello there,

I just wanna verify what I've learned about:

Stateful Inspection (packet filtering up to L5)  and

Application Inspection (packet filtering up to L7)

Regarding an IOS ZBF (IOS ver 12.4(20)T on a router, do these commands implement Application Inspection ?

(I mean: do they satisfy a protocol like ftp and enable the router to learn about dynamic ports and unwanted activities?)

class-map type inspect match-any CM

match protocol ftp

match protocol http

policy-map type inspect PM

   class type inspect CM

   inspect

zone-pair security IN-OUT source inside destination outside

service-policy type inspect PM


or  do they implement Stateful Inspection only ? if so yes, how to add  Application Inspection feature (on ftp traffic ,for example)?

1 more question, is "application-specific matching" another expression of "application inspection feature" ?

thanks !

2 ACCEPTED SOLUTIONS

Accepted Solutions
Purple

Re: Application Inspection of ZBF Router

Hi,

match protocol is using PAM entries( show ip port-map) to categorize traffic and the inspect keyword in the policy-map is for enabling stateful inspection. Now according to Cisco:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html#GUID-0FA87F61-EC84-44BC-B2FD-7DFE01F9AC39

Layer 7 Class Maps and Policy Maps

Layer 7 class maps can be used in inspect policy maps only for  deep packet inspection (DPI). The DPI functionality is delivered through  Layer 7 class maps and policy maps.

To create a Layer 7 class map, use the            class-map              type              inspect command for the desired protocol. For example, for the HTTP protocol, enter the            class-map              type              inspect              http command.

The type of class map (for example, HTTP) determines the match  criteria that you can use. If you want to specify HTTP traffic that  contains Java applets, you must specify a “match response body java”  statement in the context of an “inspect HTTP” class map.

A Layer 7 policy map provides application level inspection of traffic. The policy map can include class maps of the same type.

To create a Layer 7 policy map, specify the protocol in the                          policy-map              type              inspect command. For example, to create a Layer 7 HTTP policy map, use the            policy-map              type              inspect              http              policy-map-name command. Enter the name of the HTTP policy-map for the            policy-map-name argument.

If you do not specify a protocol name (for example, if you use the            policy-map              type              inspect command), you will create a Layer 3 or Layer 4 policy map, which can only be an inspect type policy map.

A Layer 7 policy map must be contained in a Layer 3 or Layer 4  policy map; it cannot be attached directly to a target. To attach a  Layer 7 policy map to a top-level policy map, use the            service-policy  command and specify the application name (that is, HTTP, Internet  Message Access Protocol [IMAP], Post Office Protocol, version 3 [POP3],  Simple Mail Transfer Protocol [SMTP], or SUN Remote Procedure Call  [SUNRPC]). The parent class for a Layer 7 policy should have an explicit  match criterion that matches only one Layer 7 protocol before the  policy is attached.

If the Layer 7 policy map is in a lower level, you must specify the            inspect action at the parent level for a Layer 7 policy map.

So there is indeed a difference between a L3-L4 inspection and a L7 inspection according to this document.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Re: Application Inspection of ZBF Router

Hello Cadet,

How are you man?

I am not with Cisco any more, I moved to a different company last week actually

Now, as we all know there has been always problems with some Cisco documentation (I have found at least 2 documentation bugs related to ZBFW).

At the end all comes to this:

if you use a class-map as follows

ip access-list extended test

permit tcp any any eq 21

class-map type inspect test

match access-group name test

You are basically telling the router whenever you see  a packet with TCP destination port 21, it's a match for this class-map

And U have a policy like this

policy-map type inspect In-out

class test

inspect

You will be inspecting that traffic but what the router will care about is:

Just inspect traffic that matches destination port 21.

If you do it like this instead

class-map type inspect test

match protocol ftp

The router will now inspect the traffic as FTP traffic not just as TCP destination port 21.

That's it

Hope that I explained it properly

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
13 REPLIES

Application Inspection of ZBF Router

Hello Odysious,

When you match traffic on a class-map with the match protocol http or ftp you are indeed matching a L7 protocol so when you inspect this class-map on a policy-map you will be handeling a L7 policy-map which means application stateful (so if a protocol like FTP that uses additional channels the Router will be able to open the right pinholes).

I hope I was clear hehe

Let me know anyway

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Application Inspection of ZBF Router

Julio,

Refering to the following doc, I think you're wrong. L7 inspection uses "parameter-maps" or something like that.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Actually that doc is too tough to me and I can't get the answer from it. I know it's there, but it's very hard to me to find it.

Re: Application Inspection of ZBF Router

Hello,

No I am not.. 101 % sure about it!.

You use parameter-maps, L7 class maps and L7 policy-maps in order to do specific L7 tasks such as blocking files that contains certaing strings or block websites, etc. etc.

But still matching traffic with a match protocol and using the keyword inspect will be a l7 action as the router will get into the content of the packets to make sure the protocol is honored.

Hey remember to rate all of the helpful posts,

If you do not know how, just let me know.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Application Inspection of ZBF Router

Have u looked at the example in the above maintioned link ?

  1. Define class-maps that describe the traffic that you want to permit             between zones, according to policies described earlier:

    conf t
     class-map type inspect match-any internet-traffic-class
      match protocol http  match protocol https  match protocol dns  match protocol icmp
  2. Configure a policy-map to inspect traffic on the class-maps you             just defined:

    conf t
     policy-map type inspect private-internet-policy
      class type inspect internet-traffic-class
       inspect
  3. Configure the private and Internet zones and assign router             interfaces to their respective zones:

    conf t
    zone security private
    zone security internet
    int bvi1            
    zone-member security private
    int fastethernet 0
    zone-member security internet
  4. Configure the zone-pair and apply the appropriate             policy-map.

    Note: You only need to configure the private Internet zone pair at                 present in order to inspect connections sourced in the private zone traveling                 to the Internet zone:

    conf t
     zone-pair security private-internet source private destination internet
      service-policy type inspect private-internet-policy

    This completes the configuration of the Layer 7 inspection policy             on the private Internet zone-pair to allow HTTP, HTTPS, DNS, and ICMP             connections from the clients zone to the servers zone and to apply application             inspection to HTTP traffic to assure that unwanted traffic is not allowed to             pass on TCP 80, HTTP’s service port.

  1. Define class-maps that describe the traffic that you want to permit             between zones, according to policies described earlier:

    conf t
     class-map type inspect match-any L4-inspect-class
     match protocol tcp match protocol udp match protocol icmp
  2. Configure policy-maps to inspect traffic on the class-maps you just             defined:

    conf t
     policy-map type inspect clients-servers-policy
     class type inspect L4-inspect-class
      inspect
  3. Configure the clients and servers zones and assign router             interfaces to their respective zones:

    conf t
    zone security clients
    zone security servers
    int vlan 1            
    zone-member security clients
    int vlan 2
    zone-member security servers
  4. Configure the zone-pair and apply the appropriate             policy-map.

    Note: You only need to configure the clients-servers zone-pair at                 present, to inspect connections sourced in the clients zone traveling to the                 servers zone:

    conf t
     zone-pair security clients-servers source clients destination servers
      service-policy type inspect clients-servers-policy

    This completes the configuration of the Layer 4 inspection policy             for the clients-servers zone-pair to allow all TCP, UDP, and ICMP connections             from the client zone to the server zone. The policy does not apply fixup for             subordinate channels, but provides an example of simple policy to accommodate             most application connections.

Obviously, "Inspect" is used for both L4 (tcp, udp) and L7 (http, dns) inspection.

So, It depends on the protocol being inspected, not on the keyword "inspect".

But I'm not sure what's going on with icmp ? It is in both cases matched and inspected.

Purple

Re: Application Inspection of ZBF Router

Hi,

match protocol is using PAM entries( show ip port-map) to categorize traffic and the inspect keyword in the policy-map is for enabling stateful inspection. Now according to Cisco:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-zone-pol-fw.html#GUID-0FA87F61-EC84-44BC-B2FD-7DFE01F9AC39

Layer 7 Class Maps and Policy Maps

Layer 7 class maps can be used in inspect policy maps only for  deep packet inspection (DPI). The DPI functionality is delivered through  Layer 7 class maps and policy maps.

To create a Layer 7 class map, use the            class-map              type              inspect command for the desired protocol. For example, for the HTTP protocol, enter the            class-map              type              inspect              http command.

The type of class map (for example, HTTP) determines the match  criteria that you can use. If you want to specify HTTP traffic that  contains Java applets, you must specify a “match response body java”  statement in the context of an “inspect HTTP” class map.

A Layer 7 policy map provides application level inspection of traffic. The policy map can include class maps of the same type.

To create a Layer 7 policy map, specify the protocol in the                          policy-map              type              inspect command. For example, to create a Layer 7 HTTP policy map, use the            policy-map              type              inspect              http              policy-map-name command. Enter the name of the HTTP policy-map for the            policy-map-name argument.

If you do not specify a protocol name (for example, if you use the            policy-map              type              inspect command), you will create a Layer 3 or Layer 4 policy map, which can only be an inspect type policy map.

A Layer 7 policy map must be contained in a Layer 3 or Layer 4  policy map; it cannot be attached directly to a target. To attach a  Layer 7 policy map to a top-level policy map, use the            service-policy  command and specify the application name (that is, HTTP, Internet  Message Access Protocol [IMAP], Post Office Protocol, version 3 [POP3],  Simple Mail Transfer Protocol [SMTP], or SUN Remote Procedure Call  [SUNRPC]). The parent class for a Layer 7 policy should have an explicit  match criterion that matches only one Layer 7 protocol before the  policy is attached.

If the Layer 7 policy map is in a lower level, you must specify the            inspect action at the parent level for a Layer 7 policy map.

So there is indeed a difference between a L3-L4 inspection and a L7 inspection according to this document.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Re: Application Inspection of ZBF Router

Cadet,

This is a very helpful reply from you. the following line reveals the mystery of "inspect" within ZFW:

If you do not specify a protocol name (for example, if you use the            policy-map              type              inspect command), you will create a Layer 3 or Layer 4 policy map, which can only be an inspect type policy map.

In short, it depends on the "type inspect" in the policy-map, not on the "match" in the class-map neither on the "action" in the policy-map.

This implements a L4 inspection

class-map type inspect match-all c-name   match protocol httppolicy-map type inspect p-name  class type inspect c-name

    inspect

And this implements a L7 inspection:

class-map type inspect http match-any c-name-httpmethods

   match request method bpropfind

   match request method bproppatch

   match request method connect

   match request method index

   match request method notify

policy-map type inspect http p-name-app-http

   class type inspect http c-name-httpmethods

   log

   reset

Thank you !     

Re: Application Inspection of ZBF Router

Hello Oydious,

Obviously, "Inspect" is used for both L4 (tcp, udp) and L7 (http, dns) inspection.

So, It depends on the protocol being inspected, not on the keyword "inspect".

But I'm not sure what's going on with icmp ? It is in both cases matched and inspected.

Answer/

Here is were most people get confused.

Using class-maps:

You can match traffic at layer 7,layer 3 or Layer4.

Using match access-list = Layer 4 or layer 3 depending on the structure.

Using match protocol = Matching layer 7 ( layer 4 if match protocol tcp,udp)

Now, what happens if you want to inspect FTP packets to open additional channels?

You should use a class-map matching the protocol (L7) and then inspect it otherwise the Router will only care about matching the TCP port 21 for FTP.

I know, it might be difficult to understand it but after taking cases for more than 2 years on TAC regarding this feature I can ensure that I know what I am talking about

So when talking about Class-maps you can match L7 or L4, what to use will depend on the protocol and what you want to do.

!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Purple

Application Inspection of ZBF Router

HI Julio,

So why does Cisco seem to tell the opposite, it's very confusing from them especially when using protocol is only using PAM to get the match instead of an access-list. I didn't say I don't believe you because you seem to have much experience about this but in this case the Cisco documentation is rather misleading( not to say the least).

To add to the confusion this link says exactly what you're telling:  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#stateful-1

If you're still working with TAC it could be interesting pointing out to Cisco that their docs are inconsistent and/or misleading about this subject.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Re: Application Inspection of ZBF Router

Hello Cadet,

How are you man?

I am not with Cisco any more, I moved to a different company last week actually

Now, as we all know there has been always problems with some Cisco documentation (I have found at least 2 documentation bugs related to ZBFW).

At the end all comes to this:

if you use a class-map as follows

ip access-list extended test

permit tcp any any eq 21

class-map type inspect test

match access-group name test

You are basically telling the router whenever you see  a packet with TCP destination port 21, it's a match for this class-map

And U have a policy like this

policy-map type inspect In-out

class test

inspect

You will be inspecting that traffic but what the router will care about is:

Just inspect traffic that matches destination port 21.

If you do it like this instead

class-map type inspect test

match protocol ftp

The router will now inspect the traffic as FTP traffic not just as TCP destination port 21.

That's it

Hope that I explained it properly

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Purple

Application Inspection of ZBF Router

Hi Julio,

I'm doing fine,thanks and I hope you too 

I wish you the best in your new position.

Thanks for the explanation and  sorry for misleading the OP with this link content which is very confusing.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Re: Application Inspection of ZBF Router

Hello Cadet,

Thank U man,

It's always a pleasure to help.

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Application Inspection of ZBF Router

Great Example... Jcarvaja

I've got it

Would you please post your answer here too:

https://learningnetwork.cisco.com/thread/61307?tstart=0

It's the same question, but no one could answer it yet.

thanks a lot !

Re: Application Inspection of ZBF Router

Hello,

Sure, I will.

Was a pleasure to help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
485
Views
4
Helpful
13
Replies
CreatePlease login to create content