Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ZBF questions

I have a few Cisco routers with Zone Based Firewall configured. Mostly I have followed Cisco documentation and some web examples. Some ZBF rules are not very clear to me:

Router has 3 zones (Private, Internet and self)

1. Preventing IP Spoofing.

If I do not allow any traffic from Internet zone to Private (Self zone allows only SSH connection from internet), do I have to configure IP Spoofing prevention on route direction from Internet --> Private or Internet -> self zone?

2. Network traffic from Self zone To private and vice-versa. Is it wise to allow all traffic to and from self zone to private zone?

3. What does ZBF check if

"parameter-map type inspect krneki"

audit-trail on

alert on"

is configured?

Thank you and kind regards, Marko

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: ZBF questions

1) No, there is no need to configure ip spoofing protection if all trafic is denied between the zones, however if any kind of traffic is permitted then the protection is recommended. In your case ip spoofing protection is not required between Internet and Private zones, but is required between Self and Internet zone since SSH is allowed.

2) The type of traffic allowed depends on the security policy or the role for which the zone has been setup. If all traffic is rquired to be permitted then it is better to have only a single zone instead of two seperate zones.

3) Parameter-map type inspect is used to configure an inspect type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action. The option "alert on" turns on Cisco IOS stateful packet inspection alert messages; and the option "audit-trail on" turns audit trail messages on.

1 REPLY
Bronze

Re: ZBF questions

1) No, there is no need to configure ip spoofing protection if all trafic is denied between the zones, however if any kind of traffic is permitted then the protection is recommended. In your case ip spoofing protection is not required between Internet and Private zones, but is required between Self and Internet zone since SSH is allowed.

2) The type of traffic allowed depends on the security policy or the role for which the zone has been setup. If all traffic is rquired to be permitted then it is better to have only a single zone instead of two seperate zones.

3) Parameter-map type inspect is used to configure an inspect type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action. The option "alert on" turns on Cisco IOS stateful packet inspection alert messages; and the option "audit-trail on" turns audit trail messages on.

361
Views
0
Helpful
1
Replies
CreatePlease to create content