So I am working on a CBAC to ZBF conversion and am running into a couple of questions. When converting to a ZBF, does the need for ACL's on the interface go away? I have the following configuration and can't seem to get any stats genrerated when I do a "sh policy-map type inspect zone-pair"
Can someone see if I am missing anything? The ACL I have applied to the incoming traffic on the OUTSIDE interface is dropping the traffic I need to come through. Does ZBF work differently with the ACL's? It does begin to work when I remove the ACL from the interface but when I run the "sh policy-map type inspect zone-pair", I am still not getting any traffic generated in the inspection.
I have attached the relevant config and the output from a Show Policy-Firewall Config command.
Any help on this would be much appreciated. Just wondering if someone can see something I am missing on this.
when converting to a ZBF, does the need for ACL's on the interface go away?
With CBAC the firewall inspection would open a pinhole in the incoming ACL. Due to the security features of ZBFW this will not happend and the ACL check will go first than the inspection. So if you are using ZBFW I would encourage you to remove any existing ACL.
That makes sense but when I removed the ACL from the interface, I was able to surf the net but I wasn't getting any stats in the Show Policy-map type inspect zone-pair. I should get stats from this right?
I guess I am just a little gun shy removing that ACL becasue I have been so used to CBAC! LOL
I am assuming i would also need to create an inbound zone pair for traffic that needs to be allowed that is initiated from the outside correct?
Is it best practice to remove the access-class from the vty lines as well?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...