Deploying Zone-Based Firewalls

Cisco Press has just released my latest book (and my first digital one): Deploying Zone-Based Firewalls. The book covers a completely new way to configure IOS firewall feature set based on security zones you define on a router and inter-zone policies configured using the familiar class-maps and policy-maps.

You can preview this digital book (they call it Digital Short Cut) using the Safari technology at Cisco Press and buy it at Amazon.


  1. when you use the new zone base fw feature. when you drop and log all other traffic in a policy, is the log function done using CEF or process switching?
  2. Hello,

    is it mandatory to use "Class class-default --> Drop" statement in Policy map or Policy map automatically rejects everything what is not permitted/inspected? For example I would like to permit https traffic and reject everything else. Do I need to input "Class class-default --> Drop" ?

    Thank you and Kind regards,Marko
  3. As the answer might interest many readers, I wrote a new post about it.
  4. I've read your book, which I found clear and well put together.

    I was, however, left wondering why there was such little apparent use made of the feature in real life.

    IOS Zone-based firewalls are supposed to be easier to set up and understand (arguable), more precise, and possibly offering higher throughput, but there seem to be relatively few examples of their use, even with their support in SDM 2.4.

    Is it because

    (a) they are a relatively recent addition to IOS and so there is less documentation / experience / expertise available for their use.

    (b) they are not easier to configure/maintain in practice.

    For example you still need to use Access Control Lists to let particular types of icmp through, because the ZBF operates on a protocol basis.

    And, instead of an easy to read list of what is blocked/passed, you have zones, zone links, protocol inspection rules, etc. Even with SDM, there is a good deal of setting up of the building blocks before you can use them.

    Am I missing something?
  5. Thanks for your thoughts about the book :)

    I would assume that the (current)low acceptance of the zone-based configuration is based both on the release it's available in (I would never put an "experimental" IOS release like a T release in my production network unless forced to do so by a mandatory feature or new hardware platform) as well as relative unfamiliarity (people still think in terms of access lists).

    I also agree with you that the configuration interface is a bit baroque (with classes, policies, inter-zone service policies ...) and it's definitely easier to write an access list ... if you have only two zones. However, try writing an access list for a complex firewall with 4 or 5 zones (where you have to merge all your inter-zone policies into a single access list) and you'll start appreciating the zone-based configuration. The configuration model is even more useful if you have multiple zones that have the same inter-zone policy toward a target zone (for example, all internal zones have the same policy toward the Internet).

    Having said all that, a year ago, I would probably still stick to the access-lists (even if the zone-based configuration would be available in a GD release) if I'd have to do a quick configuration job. Having climbed the learning curve, I will definitely use the new approach in my future projects ... once it becomes available in a stable major release.
  6. I have just provisioned a router with from scratch using SDM2.4.

    It now installs a zone-based firewall by default.

    I am struggling to

    (1) get BGP going, to pick up bogon lists from cymru (repeated no route to peer messages)

    (2) L2TP/IPSec connections.

    This is a straightforward DSL+LAN setup (no DMZ).

    My main issue (apart from the sheer number of settings that SDM generates) is a confusion between when to use self and when to use in/outside.
  7. The trick seems to be to allow isakmp & esp from out to self, and to add a static route to the cymru bgp peer.
  8. You're right regarding the IPSec issues, I also wrote a post detailing the rules of the self zone usage.

    As for the BGP session, it looks like the router is not willing to use the default route to get to its BGP peer. Interesting, will check it in my lab :)
  9. The other thing that I am noticing is that cymru BGP appears to be trying to send a message from port 179 into a random high-numbered port in my router. This gets blocked, even though I am inspecting outgoing bgp.

    Perhaps it is something to do with the time it takes to build IPS signatures as the ATM goes up
  10. A further example that would be helpful is the setup for SIP.

    I notice that just opening SIP and RTP (in my case 5004 or 5006) does not help. I also seem to have to open UDP to get the RTP connection to work; otherwise, it just seems to be blocked, even if it is open.

  11. An apparent limitation of the ZBF approach is that out-of-order packets in TCP streams are not cached and reassembled before they are inspected by IPS or the firewall

    What difference does this make in real life?
  12. I wrote a post about this problem a while ago, but as it was mis-labeled, even I had problems finding it :( ... fixed now.

    The only situation where you'd get out-of-order TCP packets in real life is if a box anywhere in the end-to-end path is doing per-packet load sharing ... or if you do weird QoS stuff classifying some TCP packets in a session in a different class than others (for example, mark long packets low-priority).
  13. I notice that configuring deep packet (L7) http inspection seems to kill my download speed. Is there a work-around?
  14. Apart from buying a faster router, disabling the deep packet inspection or upgrading IOS (and hoping that a newer release is more optimized), there's not much you can do, it's a CPU-intensive task. Just to be on the safe side, inspect the "show proc cpu" output to verify that the CPU load is really getting close to 100%.
  15. Hi guys, I'm slightly confused. Is the zone based feature available on Cisco ASA's or is it purely a router feature? If it is available what OS version?

    Many Thanks
  16. This book describes the IOS implementation (available in 12.4T and 15.0). Something very similar is available in ASA.
  17. Hello Ivan,

    Could you pls provide any insight about inspecting mpls encapsulated traffic with ZBF? I've been unable to find much information about such topic? I heard about an specific solution using an special hairpin to decapsulate and loop back the traffic using a tunnel interface.

    Thanks.... Victor.
  18. Never tried that. I would assume ZBF works only on pure IP traffic. What exactly are you looking for?
  19. Hi Ivan, thank you for your response, I'm working on a exercise where they ask to apply inspection (ZBF) to the VPN traffic between two PEs. Basically the solution provided is creating a new VRF on the device along with a Tunnel, one of the Tunnel interfaces belong to the newly created VRF and the other to the VRF already present, essentially linking both VRF's back-to-back on the same router. Finally the policies are applied on the tunnel interface, where the traffic is transiting unlabeled. Until now, this solution (VRFs workaround) has been difficult to understand.
    By the way, your book on this subject has been a good reading.
    Thanks in advance for your help. Regards.... Victor.
  20. Hi Ivan,

    I have just read your book on deploying ZBF and was a great read. Really helped to break down ZBF for me so thanks.

    One thing I noticed is your method for all out traffic to be inspected (listing 3-5) says
    policy-map type inspect InsideToOutside
    class class-default

    I am using that latest release of IOS 15.1(4)m and it seems that you can no longer use inspect on the class-default anymore.

    rtr(config-pmap)# class class-default
    rtr(config-pmap-c)# inspect
    %Action inspect cannot be added to class-default

    Just wondering what you recommend in place of this? Was thinking to use a class map inspect for tcp,udp,icmp.

  21. Weird. The workaround would be to create a class that matches TCP, UDP or ICMP.

    Not sure whether you'd have to put FTP/SIP in a separate class to ensure ZBF does deep(er) packet inspection.
Add comment