topic Re: ZBFW Default Inspection Specification in Network Security

ZBFW Default Inspection Specification

williampa1980 — Mon, 11 Mar 2019 20:30:31 GMT

This may be a newbie question but I've been going at it for a few days now. I can't find any specific information on the implementation of packet inspection in a zone based policy firewall. In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols? With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements. Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.

I'm working with basic routers; 871's, 2811's, 1841's, etc. The IOS in use in most cases is adventerprisek9-mz.151-3.T.

Any assistance will be greatly appreciated.

Regards,

Will

Re: ZBFW Default Inspection Specification

Jitendra Siyag — Mon, 09 May 2011 07:10:37 GMT

Hi Will,

plz find below the link for ZBF implementation for HTTP and various protocols. it has some config examples also.

http://www.cisco.com/en/US/partner/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps10592_TSD_Products_Configuration_Guide_Chapter.html#wp1122809

hope this helps.

Re: ZBFW Default Inspection Specification

williampa1980 — Mon, 09 May 2011 10:16:48 GMT

Thanks, but it appears that either I don't have permission to view the link or the link is invalid. I've read throught most of the implementation guides out there and all is well so far. I just need to know what's going on under the hood by default.

Re: ZBFW Default Inspection Specification

Jitendra Siyag — Mon, 09 May 2011 10:47:02 GMT

i hv downloaded and attached the chapter.

and speaking of default config, when you create zones and assign interfaces. then only hte traffic that you matched in the class map will be permitted/dropped (based on action selected). rest all traffic will be dropped by default. as it automatically creates a class named class-default which matches all the other traffic.

you can configure advanced inspection for the protocols using the protocol specific class maps. like http header length check, contect type, request method, url, port misuse etc.

Re: ZBFW Default Inspection Specification

williampa1980 — Mon, 09 May 2011 12:36:07 GMT

I'm not sure why I couldn't get to this on my own but thank you very much. This provides a bit more detailed information which will certainly help me out.