Continuing to check things off from the blueprint. Did some ZBFW labbing today. Here are some important stuff to be aware of.

ZBFW is basically a wrapper for CBAC. We create policys between zones and assign interfaces to zones instead of applying CBAC rules to interfaces.

By default all traffic to the self zone will be allowed (router from and to router itself). If we apply policys to self zone then everything is dropped except for the traffic that is explicitly permitted. We need to be aware of this to not mess with the routing if we get such a task at the lab.

The self zone can only inspect TCP, UDP and ICMP but not protocols like telnet and SSH. To work around this we can do a class-map matching an ACL AND the protocol TCP if we are matching telnet traffic.

It’s not very intuitive to see which traffic is dropped. We can turn on logging with ip inspect log drop-pkt. This helps a lot to see which traffic is being dropped.

ZBFW is massive in configuration, you will be typing a lot. It is easy to get confused and mix things. Name things intuitively, name class-maps CM_INSIDE_PROTOCOLS, name policy-maps PM_INSIDE_TO_OUTSIDE or names similar to that. If you don’t you will easily get lost after a while due to the massive config.

Packet counters for ZBFW can’t be trusted, this seems to be due to a bug. Verify by pinging or telneting to create traffic.

Use Notepad when creating the config, it is faster and less prone to errors.

All traffic flows are unidirectional so we need to create zone pairs for both directions depending if we want traffic to flow both ways.

We can have three different actions for traffic in the policy-maps.

Pass – Traffic gets through but not return traffic is permitted. Useful for “stateless” protocols like RIP
Inspect – Allow traffic through and also allow the return traffic back.
Drop – Drop the traffic

If we have a policy-map that allows some traffic through, the rest of the traffic not matching any class will be implicitly dropped, this is even if we don’t specify a class class-default.

That are the most important things you need to be aware of when configuring this feature.

Quick notes on Zone Based Policy Firewall (ZBFW)
Tagged on:             

3 thoughts on “Quick notes on Zone Based Policy Firewall (ZBFW)

  • February 15, 2012 at 12:33 am


    For the self zone, you can inspect h323 too!

    • February 15, 2012 at 8:16 am

      Yes, that’s true. I just mentioned the protocols I remembered, are you prepping for the lab?

  • February 15, 2012 at 6:20 pm

    Damn! was here to read the article and saw the advertisement displaying a hamburger, now feeling hungry 😛


Leave a Reply

Your email address will not be published. Required fields are marked *