Zone Based Policy Firewall (ZBPFW)

Each organization can be separated into several security zones, internal, DMZ, External etc. Then all network devices interfaces are assigned to different security zones. Different security policies are applied between different security zones for each connection direction. Unlike previous cisco IOS based firewall feature which was called Context-Based Access Control (CBAC), ZBPFW defines traffic of interest (security classification) using class-map command in Modular QoS Command-Line Structure. security classification can be utilized in definition of zone policies which controls the traffic in and out of each zone interface.

Zone Based Layer 3/4 Policy Firewall Configuration

  • Security Zone configuration
    Router(config)# zone security zone-name
    Router(config-if)# zone-member security zone-name
    Router# show zone security
  • Class Map configuration: which is defined in ZBPFW to match the traffic that will be subject to the firewall policy.
    Router(config)# class-map type inspect [match-any | match-all] class-map-name
    Router(config-cmap)# match access-group [access-list | name access-list-name
    match protocol
    Router(config-cmap)# match class-map
    Router# show class-map type inspect
  • Policy Map Configuration: A policy map is used to configure the action that will be taken with the traffic that was matched within the class map configuration.
    Router(config)# policy-map type inspect policy-map-name
    Router(config-pmap)# class type inspect
    Router(config-pmap-c)# inspect | pass | drop [log] | police rate bps burst size
    Router(config-pmap-c)# service-policy [urlfilter | http | im | imap | pop3 | smtp]
    Router# show policy-map type inspect
  • Configuring Zone Pairs and Assigning the Policy Map on those Zone Pairs
    Router(config)# zone-pair security
    zone-pair-name [source source-zone-name | self] destination [destination-zone-name | self]
    Router(config-sec-zone-pair)# service-policy type inspect
    Router# show zone-pair security

Normally, Zone Pairs are directional awareness, 2 different zone pairs are needed for each direction respectively between two zones. Zone pairs can also be set up to protect the control and management planes. This is done through the use of the system-defined self zone. The self zone includes all traffic that is directed at the device directly or traffic that is generated by the device. As with other zones, the self zone can be used as both the source or destination zone and is also configured unidirectionally.

Note: When using both ACLs and zone policies, the ACLs will be considered before any zone polices will be enforced.

Default zone policies:
Intrazone traffic is freely permitted by default; only IOS Release 15.0.1M and higher will support intrazone policies. Prior to IOS Release 15.0.1M, all traffic that was sourced and destined for devices inside the same zone was freely permitted. With this IOS release, the ability to configure a zone pair with the same zone as both source and destination is possible; this enables you to apply policies for traffic traveling within the same zone across the device.

Interzone traffic is not permitted by default; traffic is allowed only when configured within a zone policy.
Interfaces are not required to be a member of a zone; however, traffic will not be permitted between an interface in a zone and an interface not in a zone regardless of policy.