cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
536
Views
4
Helpful
4
Replies

ZBF Firewall Config Questions

Jason Spring
Level 1
Level 1

So I am working on a CBAC to ZBF conversion and am running into a couple of questions. When converting to a ZBF, does the need for ACL's on the interface go away? I have the following configuration and can't seem to get any stats genrerated when I do a "sh policy-map type inspect zone-pair"

Can someone see if I am missing anything? The ACL I have applied to the incoming traffic on the OUTSIDE interface is dropping the traffic I need to come through. Does ZBF work differently with the ACL's? It does begin to work when I remove the ACL from the interface but when I run the "sh policy-map type inspect zone-pair", I am still not getting any traffic generated in the inspection.

I have attached the relevant config and the output from a Show Policy-Firewall Config command.

Any help on this would be much appreciated. Just wondering if someone can see something I am missing on this.

Thanks in advance,

4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Jason,

when converting to a ZBF, does the need for ACL's on the interface go away?

With CBAC the firewall inspection would open a pinhole in the incoming ACL. Due to the security features of ZBFW this will not happend and the ACL check will go first than the inspection. So if you are using ZBFW I would encourage you to remove any existing ACL.

Remove it and let us know bud

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

That makes sense but when I removed the ACL from the interface, I was able to surf the net but I wasn't getting any stats in the Show Policy-map type inspect zone-pair. I should get stats from this right?

I guess I am just a little gun shy removing that ACL becasue I have been so used to CBAC! LOL

I am assuming i would also need to create an inbound zone pair for traffic that needs to be allowed that is initiated from the outside correct?

Is it best practice to remove the access-class from the vty lines as well?

thanks for your input. 

I am assuming i would also need to create an inbound zone pair for traffic that needs to be allowed that is initiated from the outside correct?

Yes, that will need to be set

Is it best practice to remove the access-class from the vty lines as well?

Well, you can leave those if you want but remember with ZBFW you have the Self-Zone as well. So if you use the Self-Zone get ridd of those too

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

What about verifying the firewall is functioning. Does just doing a sh policy-firewall sessions suffice for this?

Shouldn't I see packets being counted in the sh policy-map type inspect zone-pair?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: