topic Re: "policy-map type inspect XX" vs "policy-map XX" in Network Security

"policy-map type inspect XX" vs "policy-map XX", etc

DazOG — Mon, 27 Nov 2023 09:58:38 GMT

I've got a working ZBFW config, but I must admit I'm struggling to understand the differences between these commands:

policy-map type inspect NAME
policy-map NAME
class-map type inspect NAME
class-map NAME

Cisco's documentation says:

When an inspect-type policy-map is created, a default class named class class-default is applied at the end of the class. The class class-default default policy action is drop but can be changed to pass. The log option can be added with the drop action. Inspect cannot be applied on class class-default.

..which seems to indicate that policy-map type inspect should be used wherever you've created class-map(s) that have "type inspect" on (or not?)

What isn't clear to me is what combo of policy-map/class-map with or without "type inspect" I should use if I want to just "pass" traffic through?

What happens if I create a policy-map NAME that uses a class-map type inspect NAME ?
What happens if I create a policy-map type inspect NAME that uses a class-map NAME ?
What happens if the class-map action is "inspect" when using class-map NAME ?
What happens if the class-map action is "inspect" when using policy-map NAME ?
What happens if the class-map action is "pass" when policy-map and/or class-map is type inspect? Is "type inspect" redundant here?

Thanks in advance!

Re: "policy-map type inspect XX" vs "policy-map XX"

MHM Cisco World — Mon, 27 Nov 2023 10:02:41 GMT

Key points

Class use to match traffic only' match acl or protocol

Policy use to set action for specific traffic that match class use under it

Class and policy can use for Qos and for security that why we need type inspect in both to specify that this class map use for security not for other.

Re: "policy-map type inspect XX" vs "policy-map XX"

DazOG — Mon, 27 Nov 2023 10:07:05 GMT

Thanks. It's still not very clear to me when I should use "type inspect" on either a policy-map or class-map, or both, and what happens if I don't....

For example, if I have an ACL that allows inbound connections to specific internal hosts on specified TCP/UDP ports, logically that should be "pass" because those target hosts/applications are talking to a specific explicitly defined port? In that instance if I'm not inspecting the incoming traffic - should the class-map and/or policy-map be "type inspect"? What happens if "type inspect" is specified and the action is "pass" ?

Hope that makes sense!

Re: "policy-map type inspect XX" vs "policy-map XX"

MHM Cisco World — Mon, 27 Nov 2023 10:11:43 GMT

Type inspect DONT have any rule with action' it only add as I mention above to different between class/policy use for security and that use for qos/copp.

For action there are three

Pass

Inspect

Drop

Re: "policy-map type inspect XX" vs "policy-map XX"

DazOG — Mon, 27 Nov 2023 10:29:09 GMT

Sorry I still don't understand. I appreciate you trying to help but it's not clear what you're saying...

What is the difference between:

class-map TESTMAP
   match protocol https
policy-map type inspect TESTPOLICY
   class type inspect TESTMAP
      inspect

(This gives a warning of "%No specific protocol configured in class TESTMAP for inspection. All protocols will be inspected")

..and..

class-map type inspect match-all TESTMAP
   match protocol https
policy-map type inspect TESTPOLICY
   class type inspect TESTMAP
      inspect

(This gives no warning)

Thanks.

Re: "policy-map type inspect XX" vs "policy-map XX"

MHM Cisco World — Mon, 27 Nov 2023 10:37:53 GMT

The first example is wrong' you dont specify that class map use for security'

the first one need type inspect' for class map and that why error message appear.

Re: "policy-map type inspect XX" vs "policy-map XX"

DazOG — Mon, 27 Nov 2023 10:40:54 GMT

I assume that is the same if it uses a match access-group (ACL) instead of “match protocol https”?

Re: "policy-map type inspect XX" vs "policy-map XX"

MHM Cisco World — Mon, 27 Nov 2023 10:43:47 GMT

Same if you match acl under class map.

MHM

Re: "policy-map type inspect XX" vs "policy-map XX"

MHM Cisco World — Mon, 27 Nov 2023 11:04:19 GMT

Cisco doc.

Firewalls

Quality of service (QoS) class maps have numerous match criteria; firewalls have fewer match criteria. Firewall class maps are of type inspect and this information controls what shows up under firewall class maps.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zone-pol-fw.html

MHM