I have configured a router with ZFW and from my testing I can confirm that almost everything is working the way it should except the P2P blocking. It doesn't seem to block anything in the P2P arena and I've tried Gnutella, Kazaa, and Bittorent and all of them are able to make a connection, search and download. I even have DPI enabled to make sure it can't use http but it still manages to get out.
Once in a while the router does log a message (below) but it's not consistent.
*Feb 19 20:26:15.689: %APPFW-6-P2P_PORT_HOP: gnutella using 9699 port - tcp session 10.32.2.30:3976 126.96.36.199:9699 on zone-pair in-out class CM_INSPECT
Feb 19 20:26:48.641: %FW-6-LOG_SUMMARY: 1 packet were dropped from 10.32.2.30:3985 => 188.8.131.52:36486 (target:class)-(in-out:CM_P2P)
class-map type inspect match-any CM_INSPECT match protocol dns match protocol https match protocol icmp match protocol imap match protocol tcp match protocol udp
class-map type inspect match-all CM_HTTP match protocol http
class-map type inspect http match-any CM_PORTMISUSE match request port-misuse p2p match request port-misuse tunneling match req-resp protocol-violation
class-map type inspect match-any CM_P2P match protocol edonkey signature match protocol gnutella signature match protocol kazaa2 signature match protocol fasttrack signature match protocol bittorrent signature match protocol gnutella
policy-map type inspect http PM_HTTPDPI class type inspect http CM_PORTMISUSE log reset
policy-map type inspect PM_INSPECT class type inspect CM_P2P drop log class type inspect CM_HTTP inspect service-policy http PM_HTTPDPI class type inspect CM_INSPECT inspect class class-default drop
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...