Zone-based firewall Zone-based firewall is an advanced method of stateful firewall. In stateful firewall, an entry containing source IP address, destination IP address, source Port number and destination Port number, is maintained for the traffic generated by the trusted (private) network in the stateful database. This will only the traffic including the replies for the private (trusted) network using the stateful database. 

Zone-based Firewall procedure:

  1. Create zones and assign an interface to it – In Zone-based firewall, logical zones are created. A zone is assigned to an interface. By default, traffic from one zone to another is not allowed.
  2. Create class-map – After creating a zone, a class-map policy is made which will identify the type of traffic, like ICMP, on which the policies will be applied.
  3. Create policy-map and assign class-map to the policy-map – After identifying the type of traffic in class-map, we have to define what action must be taken on the traffic. The action can be:
    • Inspect: It is same as inspection of CBAC i.e only that traffic will be allowed from the outside network which will be inspected (return traffic of inside (trusted) network.
    • Drop: This is the default action for all traffic. The class-map configured in a policy map can be configured to drop unwanted traffic.
    • Pass: This will allow the traffic from one zone to another. Unlike inspect action, it will not create a session state for a traffic. If we want to allow traffic from the opposite direction, corresponding policy should be created.

The below are the configuration tasks that you need to follow:

  1. Configure Zones.
  2. Assign Router Interfaces to zones.
  3. Create Zone Pairs.
  4. Configure Interzone Access Policy (Class Maps & Policy Maps)
  5. Apply Policy Maps to Zone Pairs.

Task 1 : Configure Zones

zone security INSIDE

Task 2 : Assign Router Interfaces to Zones

interface GigabitEthernet0/0/1

zone-member security INSIDE

Task 3 : Create Zone Pairs

Zone pairs are created to connect the zones. If you want to make two zones to communicate you have to create Zone pairs. In our scenario the traffic flows between :

  • INSIDE to OUTSIDE

Task 4 : Configure Interzone Access Policy

Class map sort the traffic based on the following criteria :

1.) Access-group

2.) Protocol

3.) A subordinate class map.

So first we need to create an ACL and associate it with the class map.

ip access-list extended OUTBOUND-INSIDE-MERAKI-MGMT

 remark Next 24 lines – Meraki-Mgmt

permit udp 172.31.0.0 0.0.255.255 host 64.62.142.12 eq 7351

permit udp 172.31.0.0 0.0.255.255 host 64.62.142.12 eq 9350

permit udp 172.31.0.0 0.0.255.255 208.161.147.0 0.0.0.255 eq 7351

permit udp 172.31.0.0 0.0.255.255 208.161.147.0 0.0.0.255 eq 9350

permit udp 172.31.0.0 0.0.255.255 199.231.78.0 0.0.0.255 eq 7351

permit udp 172.31.0.0 0.0.255.255 199.231.78.0 0.0.0.255 eq 9350

permit udp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 7351

permit udp 172.31.0.0 0.0.255.255 208.206.48.0 0.0.15.255 eq 9350

permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 80

permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 443

permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 7734

permit tcp 172.31.0.0 0.0.255.255 host 64.62.142.2 eq 7752

permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 80

permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 443

permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 7734

permit tcp 172.31.0.0 0.0.255.255 108.161.147.0 0.0.0.255 eq 7752

permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 80

permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255eq 443

permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 7734

permit tcp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255 eq 7752

permit udp 172.31.0.0 0.0.255.255 any eq 123

permit udp 172.31.0.0 0.0.255.255 host 8.8.8.8 eq 53

permit icmp 172.31.0.0 0.0.255.255 host 8.8.8.8

permit icmp 172.31.0.0 0.0.255.255 209.206.48.0 0.0.15.255

class-map type inspect match-any OUTBOUND-INSIDE-MERAKI-MGMT

match access-group name OUTBOUND-INSIDE-MERAKI-MGMT

match protocol tcp

match protocol udp

match protocol icmp

Task 5: Policy-Map Configuration

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

class type inspect OUTBOUND-INSIDE-MERAKI-MGMT

inspect

Task 6 : Apply policy maps to zone pairs

zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE

 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

There we finish the basic configuration of a zone based firewall.

Troubleshooting

You can use the below commands to perform some basic troubleshooting and verification.

a.) Show commands

show class-map type inspect

show policy-map type inspect

show zone-pair security

b.) Debug Commands

debug policy-firewall detail

debug policy-firewall events

debug policy-firewall protocol tcp

debug policy-firewall protocol udp