When configuring ZBFW, I have configs like this:
policy-map type inspect MYPMAP class type inspect everything inspect
If I configure a bypass rule, it will be appended in the end, after everything but before class-default. Is there a way to add a classification before an existing class without removing existing classification rule?
There is a problem though. Removing inspect rules could have the effect of locking myself out. I will need to apply the commands in a file and use the copy to running-config method. Also, it will also mean that system is not protected the way it was meant to. I am surprised that there is no way to insert consider even ACL has line numbers now.
@Mohammed al Baqari wrote:
You can create a bypass rule for mgmt access. this can be at the bottom.
usually mgmt access isn't inspected.
How does that work? I thought ZBFW enforcement orders are always top to bottom.