Zone-based firewall Zone-based firewall is an advanced method of stateful firewall. In stateful firewall, an entry containing source IP address, destination IP address, source Port number and destination Port number, is maintained for the traffic generated by the trusted (private) network in the stateful database. This will only the traffic including the replies for the private (trusted) network using the stateful database.
Zone-based Firewall procedure:
- Create zones and assign an interface to it – In Zone-based firewall, logical zones are created. A zone is assigned to an interface. By default, traffic from one zone to another is not allowed.
- Create class-map – After creating a zone, a class-map policy is made which will identify the type of traffic, like ICMP, on which the policies will be applied.
- Create policy-map and assign class-map to the policy-map – After identifying the type of traffic in class-map, we have to define what action must be taken on the traffic. The action can be:
- Inspect: It is same as inspection of CBAC i.e only that traffic will be allowed from the outside network which will be inspected (return traffic of inside (trusted) network.
- Drop: This is the default action for all traffic. The class-map configured in a policy map can be configured to drop unwanted traffic.
- Pass: This will allow the traffic from one zone to another. Unlike inspect action, it will not create a session state for a traffic. If we want to allow traffic from the opposite direction, corresponding policy should be created.
The below are the configuration tasks that you need to follow:
- Configure Zones.
- Assign Router Interfaces to zones.
- Create Zone Pairs.
- Configure Interzone Access Policy (Class Maps & Policy Maps)
- Apply Policy Maps to Zone Pairs.
Task 1 : Configure Zones
zone security INSIDE
Task 2 : Assign Router Interfaces to Zones
zone-member security INSIDE
Task 3 : Create Zone Pairs
Zone pairs are created to connect the zones. If you want to make two zones to communicate you have to create Zone pairs. In our scenario the traffic flows between :
- INSIDE to OUTSIDE
Task 4 : Configure Interzone Access Policy
Class map sort the traffic based on the following criteria :
3.) A subordinate class map.
So first we need to create an ACL and associate it with the class map.
ip access-list extended OUTBOUND-INSIDE-MERAKI-MGMT
remark Next 24 lines – Meraki-Mgmt
permit udp 172.31.0.0 0.0.255.255 host 126.96.36.199 eq 7351
permit udp 172.31.0.0 0.0.255.255 host 188.8.131.52 eq 9350
permit tcp 172.31.0.0 0.0.255.255 host 184.108.40.206 eq 80
permit tcp 172.31.0.0 0.0.255.255 host 220.127.116.11 eq 443
permit tcp 172.31.0.0 0.0.255.255 host 18.104.22.168 eq 7734
permit tcp 172.31.0.0 0.0.255.255 host 22.214.171.124 eq 7752
permit udp 172.31.0.0 0.0.255.255 any eq 123
permit udp 172.31.0.0 0.0.255.255 host 126.96.36.199 eq 53
permit icmp 172.31.0.0 0.0.255.255 host 188.8.131.52
class-map type inspect match-any OUTBOUND-INSIDE-MERAKI-MGMT
match access-group name OUTBOUND-INSIDE-MERAKI-MGMT
match protocol tcp
match protocol udp
match protocol icmp
Task 5: Policy-Map Configuration
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect OUTBOUND-INSIDE-MERAKI-MGMT
Task 6 : Apply policy maps to zone pairs
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
There we finish the basic configuration of a zone based firewall.
You can use the below commands to perform some basic troubleshooting and verification.
a.) Show commands
show class-map type inspect
show policy-map type inspect
show zone-pair security
b.) Debug Commands
debug policy-firewall detail
debug policy-firewall events
debug policy-firewall protocol tcp
debug policy-firewall protocol udp