Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Basic Zone based Firewall Concepts


Zone based Firewall is a new approach to configuring access control in the IOS firewall. Before this technology, traffic filtering was accomplished using access lists and inspection (CBAC). Both access list and inspection rules apply directly to the physical interfaces, which is not a very effective solution.

A new core concept of ZFW is zone, which groups different interfaces sharing the same security attributes, the same level of trust. For ex, you may have security zones that reflect your enterprise security levels partitioning.

Please refer the following figure----


Zone Based Firewall achieves the following things---

Identify “similar” interfaces – group them into zones

Identify targets – Target is a virtual context specifying traffic flowing from one zone to another

Target manifests itself as a zone-pair, consisting of a source-zone and a destination-zone. Sense of direction is contained in the target

Unidirectional policy is applied between zones

Default inter-zone policy is DENY ALL

Multiple traffic classes and actions can be applied per zone-pair

Zone-pair-specific TCP parameters can be configured

ZBF also helps us achieving the following-----

Offers easy-to-understand configuration model

Firewall policies are configured on traffic moving between zones

Simplifies firewall policy troubleshooting by applying explicit policy on inter-zone traffic

Firewall policy configuration is very flexible

Varying policies can be applied to different host groups, based on ACL configuration

Legacy inspection configuration


Zone-Based Policy Firewall Configuration


Step by Step Configure a ZBP Firewall--

1. Identify and define network zones

2. Assign interfaces to zones

3. Determine both directions’ traffic between zones

4. Set up zone pairs for any policy other than deny all

5. Define class-maps to describe  traffic between zones

6. Associate class-maps with policy-maps to define actions applied to specific policies

7. Assign policy-maps to zone-pairs

Simple Firewall Policy configuration

Configure a router with two zones

Allow simple tcp connections (and return traffic) from workstation in zone 1 to server in zone 2


Identify and Configure Zones

Identify and define zones

  • Configure a zone for any group of hosts that you must isolate from other hosts. 
  • Zones need not follow subnet boundaries, particularly for transparent firewall.


Assign interfaces to zones

  • Assign Interfaces to Zones


  • As soon as an interface is assigned to a zone, traffic will only flow to interfaces in the same zone

Configure Zone-Pairs

  • Identify zone pairs where traffic will be allowed between zones.
  • Remember, the default inter-zone policy is deny all.  If you don’t want traffic in a particular direction on a zone-pair, traffic is implicitly denied.  You don’t need to configure anything.


Define Class-Map

Class-Maps define the traffic to which you will apply a policy other than implicit deny

Define Policy-Map

  • Policy-Maps assign a policy to the traffic defined in a class-map


  • You only need to define inspect Zone A to Zone B.  Inspection will handle reflexive policies.

Apply Policy-Map to Zone-Pair


Final config


That is it for this blog. I am thinking of coming up with some scenarios or some more details on different types of class and policy maps allowed withing ZBF. Please let me know what you want to hear more on.

Appreciate your time.


Please click on the images to enlarge them. Thanks

New Member

Hi Ankur,

How exactly we can audit these logs from one Zone to another Zone? I want to see all ALLOW and DROP Traffic.

I use below with audit trial on but it doesnt show the drop traffic all the time.

policy-map type inspect A-to-B-policy

class type inspect A-to-B

  inspect auditlog

class class-default

  drop log

Any other way ti audit the traffic between zones?

Very Useful post...


Good work Keep UP


Please refer the following details uday------  -------------------------------------------------------------     parameter-map type inspect mypmap  audit-trail on log dropped-packets   class-map type inspect match-any cm match protocol tcp match protocol udp match protocol icmp  policy-map type inspect pm class type inspect cm  inspect mypmap class class-default    ---------------------------------------------------------------    Hope this helps!

New Member

very helpful...

Thanks Ankur

New Member

Well, Nice explanation...

By the way could you put some spot light on the same concept in ASR 1000 series. I heard that we cannot configure ZBFP through CLI, it should be through CSM. is that right ? please...