topic Zone Based Firewall allowing unwanted traffic in Network Security

Zone Based Firewall allowing unwanted traffic

ty.masse — Tue, 12 Mar 2019 03:00:41 GMT

I'm testing zone based firewall zbf in preperation to deploy. However I'm running into an issue that I need assistance with. I've attached a copy of my test topology for reference. But to explain I have this environment:

PCs - Servers - Registers - Vendors

I have eigrp configured on to take traffic to HQ (R4) with a vti interface as backup in case the primary goes down.

I also have a public interface on R1 for internet traffic.

I have created sub-interfaces and placed these respective systems in their own vlan. I'm doing routing on a stick for the routing.

Here is what I need to accomplish:

The vendors cannot talk to anything except inbound and outbound internet traffic (public zone)

Servers and PC's can talk to each other

registers and server can talk to each other. So pc and registeres cannot talk to each other.

I don't want to restrict based on ACL. So I'm allowing pretty much anything in my policy.

When I ping between an unauthorized zone, for example vendor to store, It acts like it's not allowing it. Which is what I want. I get 4 request time outs. However if I up arrow and try again I get replies. Allowing traffic between two unauthorized zones.

Requesting assistance in getting this issue resolved.

thanks.

Re: Zone Based Firewall allowing unwanted traffic

ty.masse — Mon, 11 Nov 2013 22:15:19 GMT

To the benefit of others. Here is what I found out on the zone based firewall issue I was having.

Everything was setup correctly. However I found out during multiple tests that if you have common zones, all of them will be able to talk to each other.

In my test, I had: pos zone - server zone pc zone - server zone I do not want pos zone - pc zone

However since the server zone is common between pos and pc, all 3 could talk to each other even if you don't have a zone pair for the two zones that you're trying to exclude, even if your policy doesn't explicly allow the zone you're trying to exclude.

That's a big gotcha in zbuf (that's wat I call ZBF) configuration. That issue is not docummented anywhere that I could find.

If there are no common zones zbuf works as intended with no issues.

Fix: Fortunetly the fix to this issue is very simple. This is what I did to fix it.

1. Create an ACL and deny source and destination of the 2 zones you don't want to talk to each other. In my case I explicitely denied traffic from pos to pc and pc to pos. I allowed everything else.

2. Create class map and match that acl.

3. Done.

Now everyting works as intended, and pos and pc traffic vice versa are dropped.

Hope this Helps.

Re: Zone Based Firewall allowing unwanted traffic

Julio Carvajal — Mon, 11 Nov 2013 22:56:06 GMT

Hello Ty,

Just trying to help here

That is the whole purpose of ZBFW. By default traffic within the same zones will be allowed

But what you will love is how on 15.0(1)M intra-support filtering is available for you to go.

So if you want to restrict traffic from host A to host B on zone AB create the right policy and assigned to

zone-pair AB-to-AB source AB destination AB

That's it!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Re: Zone Based Firewall allowing unwanted traffic

ty.masse — Tue, 12 Nov 2013 01:23:36 GMT

Thanks for your reply. I understand that traffic withing the same zone can see each other. However my issue was different. I had three distinct zones. ABC with zone pairs AB and AC. I didn't want BC traffic. The new feature in 15.0 that you described is pretty cool.

Thanks.

Re: Zone Based Firewall allowing unwanted traffic

Julio Carvajal — Tue, 12 Nov 2013 01:36:36 GMT

Not sure I follow this:

I had three distinct zones. ABC with zone pairs AB and AC. I didn't want BC traffic

Be more specific please

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Re: Zone Based Firewall allowing unwanted traffic

ty.masse — Tue, 12 Nov 2013 02:10:55 GMT

Three zones:

zone sec a

zone sec b

zone sec c

int e1

zone-mem sec a

int e2

zone-mem sec b

int e3

zone-mem sec c

zone-pair policy source a destination b

zone-pair policy source a destination c

If my policy is icmp, I can ping between all three. However as I mentioned. I have found a work around. In fact that's the only way it will work.

Hope that make sense.

Thanks.

Re: Zone Based Firewall allowing unwanted traffic

Julio Carvajal — Tue, 12 Nov 2013 02:14:19 GMT

Hello,

So are u saying that fraffic from C to B is allowed with this configuration?? What the heck????

Can U post it? So I can confirm it?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Re: Zone Based Firewall allowing unwanted traffic

ty.masse — Tue, 12 Nov 2013 02:37:18 GMT

Yes. I've attached the configs in my original post. Now keep in mind those interfaces are subinterfaces to route between the three vlans.

Re: Zone Based Firewall allowing unwanted traffic

Julio Carvajal — Tue, 12 Nov 2013 02:53:28 GMT

Hello,

Looks like https://tools.cisco.com/bugsearch/bug/CSCsz36217

Did you try with other traffic than TCP/UDP

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com