Re: Inserting class-map to ZBFW service policy

pingduck · ‎07-16-2019

When configuring ZBFW, I have configs like this:

policy-map type inspect MYPMAP
 class type inspect everything
  inspect

If I configure a bypass rule, it will be appended in the end, after everything but before class-default. Is there a way to add a classification before an existing class without removing existing classification rule?

Mohammed al Baqari · ‎07-16-2019

No, you need to remove the old class and add both in the order you prefer.
If you prepare the config in text file then it should take seconds to
append

pingduck · ‎07-16-2019

There is a problem though. Removing inspect rules could have the effect of locking myself out. I will need to apply the commands in a file and use the copy to running-config method. Also, it will also mean that system is not protected the way it was meant to. I am surprised that there is no way to insert consider even ACL has line numbers now.

Mohammed al Baqari · ‎07-17-2019

You can create a bypass rule for mgmt access. this can be at the bottom.
usually mgmt access isn't inspected.

pingduck · ‎07-17-2019

@Mohammed al Baqari wrote:
You can create a bypass rule for mgmt access. this can be at the bottom.
usually mgmt access isn't inspected.

How does that work? I thought ZBFW enforcement orders are always top to bottom.