Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Zone Based Firewalls on ISRs.

From what I've gathered concerning the zone based firewalls, it seems I need implicitly permit/inspect the applications/protocols to allow them to pass the firewall? Is this true?

My main concern is if I apply the ZBF config and I have missed an application, then all traffic I assume will be dropped. (right?) Granted I will know real quick what I missed but I would rather not go that route. I've turned on NBAR to see what applications/protocols are flowing through the router but I have had to add a decent amount of custom nbar statements and even now I still have a sliver of unknown traffic going through my router. Will the ZBF inspect the custom protocols/application I've set in NBAR?

Which in turn leads me to my second question, is it best practice to not have any "unknown" traffic classified in NBAR?

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/
1 REPLY
Cisco Employee

Re: Zone Based Firewalls on ISRs.

From what I've gathered concerning the zone based firewalls, it seems I need implicitly permit/inspect the applications/protocols to allow them to pass the firewall? Is this true?

That is true.

My main concern is if I apply the ZBF config and I have missed an application, then all traffic I assume will be dropped. (right?) Granted I will know real quick what I missed but I would rather not go that route. I've turned on NBAR to see what applications/protocols are flowing through the router but I have had to add a decent amount of custom nbar statements and even now I still have a sliver of unknown traffic going through my router. Will the ZBF inspect the custom protocols/application I've set in NBAR?

If you are inspecting tcp and udp, most protocols will work. Now if there is a protocol that embeds ips in the packer payloads (like H323 or SIP) or will need to open pinholes (like FTP or H323) it will indeed break with just tcp and udp inspection.NBAR will help for inspections. But if you look at the protocols you can inspect, you can put as much as you want in order to cover all your bases.

Which in turn leads me to my second question, is it best practice to not have any "unknown" traffic classified in NBAR? 

I don't think that is the case, because practically you can't classify everything. Doing your best and inspecting your best will likely not cause any issues. Testing before going to product will also cover you against any unknown issues. NBAR definitely helps to identify what you need to inspect, of course.

I hope it helps.

PK

275
Views
0
Helpful
1
Replies
CreatePlease to create content