Live chat with Cisco expert, Ashish Jhaldiyal on Zone based firewall.
Ashish is a senior TAC engineer at Cisco Systems and his expertise is in Network Security, Intrusion Prevention Systems and Zone-based firewall. He more than 5 years of experience in the field of networking and specializes in Firewall and Wireshark.
What is a Facebook Forum?
Facebook forums are online conversations, held at a ore-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.
What are the differences between Zone-Based Policy Firewall and Classic Firewall ?
Zone-Based Policy Firewall introduces substantial changes to command-line interface (CLI) firewall configuration. In Classic Firewall configuration, firewall policy is applied on interfaces, while in Zone-Based Policy Firewall configuration, interfaces are assigned to security zones, and firewall policy is applied to traffic moving between the zones.
What are the two configuration models for Cisco IOS Firewall?
There are two configuration models for Cisco IOS Firewall. The traditional configuration model, Classic Firewall (formerly known as Context-Based Access Control, or CBAC), and the new configuration model, Zone-Based Policy Firewall.
Cisco routers started supporting ZBF starting with release 12.4(6)T.
What management tools are available to support Zone-Based Policy Firewall?
ZBF can be configured using CLI, GUI based configuration tools like CCP , SDM and CSM.
What logging features are included with Cisco IOS Firewall?
Audit trial features user syslog mechanisms to track new session, session termination, source-destination host, ports and number of transmitted bytes.
Can Cisco IOS Firewall inspect applications on ports other than those set as default ports?
Yes, it is possible using PAM (port to application Mapping). This supports a large list of protocols.
Can Authentication Proxy be used for specific users or subnets?
Yes, access-list can be used to specify which network or host need to authenticate before a user policy is applied.
Can rate limiting be applied for Cisco IOS Firewall policies?
Yes, IOS firewall Provides the ability to control bandwidth that is used by an application or traffic through the firewall, This also limits DOS attacks by preventing excessive bandwidth from being consumed.
Which voice over IP (VoIP) protocols are supported by Cisco Zone-Based Policy Firewall?
Zone Based firewall support SIP, H323 and SCCP. It supports protocol inspection and pinhole opening.
Does the Cisco IOS Zone-Based Policy Firewall work with stateful failover?
No, ZBF doesn’t work with stateful failover.
If I don't have routers in HA, with zone based configuration, in case of failover what will happen to my existing session?
We would require stateful failover for this functionality however unfortunately it is only supported on Cisco ASA not on IOS.
Does zone based firewall support authentication proxy?
In case of zone based firewall, if I have static nat present for inside server for outside users, and I want to accept the traffic initiated by outside users to this server, what is the order of operation?
First ACL then NAT takes the precedence and after that zone based firewall. However ACL's and zone based are not meant together.
Please recommend some good resources for zone based firewall?
If I need to choose between cbac and zone based, what should I go for?
CBAC has a much simpler configuration which still allows you to get basic firewall functionality out of an IOS device. However, much of the development focus will be on zone-based firewall in future releases.. Here is the link which describes the difference between the two:-
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...