cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


186
Views
0
Helpful
4
Replies
Beginner

Inserting class-map to ZBFW service policy

When configuring ZBFW, I have configs like this:

policy-map type inspect MYPMAP
 class type inspect everything
  inspect

If I configure a bypass rule, it will be appended in the end, after everything but before class-default. Is there a way to add a classification before an existing class without removing existing classification rule? 

4 REPLIES 4
VIP Advisor

Re: Inserting class-map to ZBFW service policy

No, you need to remove the old class and add both in the order you prefer.
If you prepare the config in text file then it should take seconds to
append
Highlighted
Beginner

Re: Inserting class-map to ZBFW service policy

There is a problem though. Removing inspect rules could have the effect of locking myself out. I will need to apply the commands in a file and use the copy to running-config method. Also, it will also mean that system is not protected the way it was meant to. I am surprised that there is no way to insert consider even ACL has line numbers now.

VIP Advisor

Re: Inserting class-map to ZBFW service policy

You can create a bypass rule for mgmt access. this can be at the bottom.
usually mgmt access isn't inspected.
Beginner

Re: Inserting class-map to ZBFW service policy


@Mohammed al Baqari wrote:
You can create a bypass rule for mgmt access. this can be at the bottom.
usually mgmt access isn't inspected.

How does that work? I thought ZBFW enforcement orders are always top to bottom.