topic Re: ZBF zone based firewall on ASR 1000 in Network Security

ZBF zone based firewall on ASR 1000

a.ascione — Fri, 21 Feb 2020 16:15:31 GMT

Group any idea how this could happen in zone based firewall:

sh policy-map type inspect zone-pair sessions

Zone-pair: Guest->Internet
Service-policy inspect : Guest_to_Internet

Class-map: Guest_Protocols (match-any)
Match: protocol http
Match: protocol https
Match: protocol dns
Match: protocol bootpc
Match: protocol bootps
Match: access-group name permitany
Pass
0 packets, 0 bytes

Class-map: class-default (match-any)
Match: any
Pass
2242890 packets, 1858326904 bytes

As you can see I get no matches on the first part of my policy map (Class-map: Guest_Protocols) although the users in the "Guest" zone are able to surf...

Any ideas how I could troubleshoot this ?

Thanks in advance for your suggestions.

Re: ZBF zone based firewall on ASR 1000

Mohammed al Baqari — Wed, 19 Sep 2018 11:01:45 GMT

Can you get the output of the following

show policy-firewall session platform tcp destination-port 80 detail

show policy-firewall config platform

Re: ZBF zone based firewall on ASR 1000

a.ascione — Thu, 20 Sep 2018 07:22:56 GMT

Hi Mohammed,

thank you for your quick reply.

It seems that the show policy-firewall sessions platform remains empty.

So the command that you are asking is obiously also empty.

But that is probably because the packets are not matching on inspect rules.

The second command gives a very long output; I'm adding it in attachment.

thx

Re: ZBF zone based firewall on ASR 1000

Mohammed al Baqari — Wed, 19 Sep 2018 16:46:04 GMT

I don't see any attachment

Re: ZBF zone based firewall on ASR 1000

a.ascione — Thu, 20 Sep 2018 07:23:39 GMT

sorry, it is ok now I have added it to the original message.

regards

Re: ZBF zone based firewall on ASR 1000

a.ascione — Tue, 02 Oct 2018 09:50:56 GMT

The problem was solved with a reboot of the router