https://community.cisco.com/t5/network-security/zone-firewall-policy-configuration/m-p/1581542#M559228 <P>Hi</P><P></P><P>I'm currently using classic CBAC/inspect FW configuration on my 1801 router. I would like to implement a ZFW config. ZWF is new to me, I've read "Zone-Based Policy Firewall Design and Application Guide" &amp; am a bit confused.</P><P></P><P>The following questions arise:</P><P></P><P>1. In the above guide on pg 19 (bottom) it states "HTTP Application Inspection (similar to other types of Application Inspection) can only be applied to HTTP traffic.Thus, you must define Layer 7 class-maps and policy-maps for specific HTTP traffic, then define a Layer-4 class-map specifically for HTTP, and apply the Layer-7 policy to HTTP inspection in a Layer-4 policy-map".</P><P></P><P>What isconfusing is that several L7 configuration examples are very different. One shows only L7 cmap &amp; pmap (example pg.13).Another example shows a config with an L7 cmap/pmap, with a L4 cmap/pmap defined (exmaple pg 19). Please help clarify.&nbsp;&nbsp; </P><P></P><P><BR />2. Are all the ZFW parameters such as DoS protection, TCP connection/UDP session timers, and audit-trail logging settings that I want to use put into one (1) large policy parameter map? If so would someone be able to help reoganzie a parameter map based on my "ZFW config" doc.</P><P></P><P>3. Where can I find the syntax for the following:tcp/udp fin &amp; synwait times, inspect reassembly queue length, idle time tcp/udp</P><P></P><P>4. Prior to loading new ZFW config, does CBAC have be unloaded? what is command?</P><P></P><P>My goal is to implement my current CBAC/inspect swttings (see attached config) in the ZFW &amp; lock down the router further if possible.</P><P></P><P><BR />My requirements are:</P><P></P><P>1. implement L7 inspection on the following protocols: HTTP/HTTPS/ESMPT/SMTP/POP3/DNS<BR />2. implement current CBAC/inspect settings if possible and tighten secutiy further if possible.</P><P></P><P>I've put together a draft ZFW config that is probably full of configuration &amp; syntax errors. I would appreciate if some of the FW experts might be able to help me develop a working ZFW config.<BR />Many thanks in advance.</P><P></P><P>Regards</P><P></P><P>Mike</P> Mon, 11 Mar 2019 20:11:51 GMT ms4561 2019-03-11T20:11:51Z https://community.cisco.com/t5/network-security/zone-firewall-policy-configuration/m-p/1581542#M559228 <P>Hi</P><P></P><P>I'm currently using classic CBAC/inspect FW configuration on my 1801 router. I would like to implement a ZFW config. ZWF is new to me, I've read "Zone-Based Policy Firewall Design and Application Guide" &amp; am a bit confused.</P><P></P><P>The following questions arise:</P><P></P><P>1. In the above guide on pg 19 (bottom) it states "HTTP Application Inspection (similar to other types of Application Inspection) can only be applied to HTTP traffic.Thus, you must define Layer 7 class-maps and policy-maps for specific HTTP traffic, then define a Layer-4 class-map specifically for HTTP, and apply the Layer-7 policy to HTTP inspection in a Layer-4 policy-map".</P><P></P><P>What isconfusing is that several L7 configuration examples are very different. One shows only L7 cmap &amp; pmap (example pg.13).Another example shows a config with an L7 cmap/pmap, with a L4 cmap/pmap defined (exmaple pg 19). Please help clarify.&nbsp;&nbsp; </P><P></P><P><BR />2. Are all the ZFW parameters such as DoS protection, TCP connection/UDP session timers, and audit-trail logging settings that I want to use put into one (1) large policy parameter map? If so would someone be able to help reoganzie a parameter map based on my "ZFW config" doc.</P><P></P><P>3. Where can I find the syntax for the following:tcp/udp fin &amp; synwait times, inspect reassembly queue length, idle time tcp/udp</P><P></P><P>4. Prior to loading new ZFW config, does CBAC have be unloaded? what is command?</P><P></P><P>My goal is to implement my current CBAC/inspect swttings (see attached config) in the ZFW &amp; lock down the router further if possible.</P><P></P><P><BR />My requirements are:</P><P></P><P>1. implement L7 inspection on the following protocols: HTTP/HTTPS/ESMPT/SMTP/POP3/DNS<BR />2. implement current CBAC/inspect settings if possible and tighten secutiy further if possible.</P><P></P><P>I've put together a draft ZFW config that is probably full of configuration &amp; syntax errors. I would appreciate if some of the FW experts might be able to help me develop a working ZFW config.<BR />Many thanks in advance.</P><P></P><P>Regards</P><P></P><P>Mike</P> Mon, 11 Mar 2019 20:11:51 GMT https://community.cisco.com/t5/network-security/zone-firewall-policy-configuration/m-p/1581542#M559228 ms4561 2019-03-11T20:11:51Z https://community.cisco.com/t5/network-security/zone-firewall-policy-configuration/m-p/1581543#M559230 <HTML><HEAD></HEAD><BODY><P>Pls. follow this link.</P><P><A href="https://community.cisco.com/docs/DOC-8028">https://supportforums.cisco.com/docs/DOC-8028</A></P><P></P><P>You may not be doing Trend content filtering but, it certainly goes over how to configure L7 inspection.</P><P>It also has parameter map configuration sample.</P><P></P><P>Removing old cbac command</P><P>sh run | i inspect</P><P></P><P>sh run int e0/0</P><P></P><P>if you have any ip inspect commands configured you can remove them from the global configuration as well as interface configuration.</P><P></P><P>-KS</P></BODY></HTML> Sat, 09 Apr 2011 23:12:25 GMT https://community.cisco.com/t5/network-security/zone-firewall-policy-configuration/m-p/1581543#M559230 Kureli Sankar 2011-04-09T23:12:25Z