Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Facebook Forum - Zone Based Firewall

FacebookForum_Mar2012.jpgLive chat with Cisco expert, Ashish Jhaldiyal on Zone based firewall.

Ashish is a senior TAC engineer at Cisco Systems and his expertise is in Network Security, Intrusion Prevention Systems and Zone-based firewall. He more than 5 years of experience in the field of networking and specializes in Firewall and Wireshark.

What is a Facebook Forum?

Facebook forums are online conversations, held at a ore-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.

Click to RSVP >

Find our Facebook Fanpage..

  • Firewalling
New Member

Re: Facebook Forum - Zone Based Firewall

What are the differences between Zone-Based Policy Firewall and Classic Firewall ?

Zone-Based Policy Firewall introduces substantial changes to command-line interface (CLI) firewall configuration. In Classic Firewall configuration, firewall policy is applied on interfaces, while in Zone-Based Policy Firewall configuration, interfaces are assigned to security zones, and firewall policy is applied to traffic moving between the zones.

What are the two configuration models for Cisco IOS Firewall?

There are two configuration models for Cisco IOS Firewall. The traditional configuration model, Classic Firewall (formerly known as Context-Based Access Control, or CBAC), and the new configuration model, Zone-Based Policy Firewall.

Which Cisco IOS Software release supports Cisco IOS Software Zone-Based Policy Firewall?

Cisco routers started supporting ZBF starting with release 12.4(6)T.

What management tools are available to support Zone-Based Policy Firewall?

ZBF can be configured using CLI, GUI based configuration tools like CCP , SDM and CSM.

What logging features are included with Cisco IOS Firewall?

Audit trial features user syslog mechanisms to track new session, session termination, source-destination host, ports and number of transmitted bytes.

Can Cisco IOS Firewall inspect applications on ports other than those set as default ports?

Yes, it is possible using PAM (port to application Mapping). This supports a large list of protocols.

Can Authentication Proxy be used for specific users or subnets?

Yes, access-list can be used to specify which network or host need to authenticate before a user policy is applied.

Can rate limiting be applied for Cisco IOS Firewall policies?

Yes, IOS firewall Provides the ability to control bandwidth that is used by an application or traffic through the firewall, This also limits DOS attacks by preventing excessive bandwidth from being consumed.

Which voice over IP (VoIP) protocols are supported by Cisco Zone-Based Policy Firewall?

Zone Based firewall support SIP, H323 and SCCP. It supports protocol inspection and pinhole opening.

Does the Cisco IOS Zone-Based Policy Firewall work with stateful failover?

No, ZBF doesn’t work with stateful failover.

If I don't have routers in HA, with zone based configuration, in case of failover what will happen to my existing session?

We would require  stateful failover for this functionality however unfortunately it is only supported on Cisco ASA not on IOS.

Does zone based firewall support authentication proxy?

It is supported as of 12.4(20)T with the introduction of user-based firewall. Please refer to following example:-

In case of zone based firewall, if  I have static nat present for inside server for outside users, and I want to accept the traffic initiated by outside users to this server, what is the order of operation?

First ACL then NAT  takes the precedence and after that zone based firewall. However ACL's and zone based are not meant together.

Please recommend some good resources for zone based firewall?

Here are links to some excellent resources.

If I need to choose between cbac and zone based, what should I go for?

CBAC has a much simpler configuration which still allows you to get basic firewall functionality out of an IOS device. However, much of the development focus will be on zone-based firewall in future releases.. Here is the link which describes the difference between the two:-

To see the Facebook forum on Facebook visit :

To see the archive on Facebook Notes, visit :