Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1292
Views
5
Helpful
2
Replies

Best/safest way to deconfigure zone-based firewall

Go to solution
ken.vance
Level 1
Level 1

‎10-12-2019 07:56 AM

Hi All,

 

We have a Cisco 1941 running IOS 15.5M and the Zone Based Firewall with inspect rules.

I need to de-configure zone-based firewall completely off the router.

 

Unfortunately I have only remote connectivity.

 

What is the best way to do this?

 

Does anyone have any suggestions?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎10-12-2019 02:36 PM

I have not been able to find any documentation that says the platform inspect disable-all command is supported on the IOS15.5M.

 

However, by default all traffic to the router itself is allowed.  So, if you do not have any policies that go to the "self" zone, you should not lose connectivity.

 

If you do have policies that go to the self zone, then I would suggest leaving those for last, before you remove them set a reload in 6 so that if you do lose connectivity the router will reload and your changes will be set back and you wont have to go onsite or have someone go onsite for console access.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

2 Replies 2

Go to solution
ken.vance
Level 1
Level 1

‎10-12-2019 08:02 AM

Hi All,

 

Just to clarify, I notice in IOS-XE there is the command 'platform inspect disable-all 'command

 

Is there the equivalent in IOS 15.5M?

 

After removing ACLs from interfaces, is there a better way if it doesn't exist?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎10-12-2019 02:36 PM

I have not been able to find any documentation that says the platform inspect disable-all command is supported on the IOS15.5M.

 

However, by default all traffic to the router itself is allowed.  So, if you do not have any policies that go to the "self" zone, you should not lose connectivity.

 

If you do have policies that go to the self zone, then I would suggest leaving those for last, before you remove them set a reload in 6 so that if you do lose connectivity the router will reload and your changes will be set back and you wont have to go onsite or have someone go onsite for console access.

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card