ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

392
Views
20
Helpful
3
Replies
Highlighted
Beginner

How to update Zone Based Firewall policy?

I have a ZBFW policy:

 

policy-map type inspect mypolicy

class type inspect whitelist

  pass

class type inspect everything

  inspect

 

But what if I need to add a new class-map:

 

policy-map type inspect mypolicy

class type inspect whitelist

  pass

class type inspect blacklist

  drop

class type inspect everything

  inspect

 

How can I do it without removing mypolicy and recreate it again? If I remove mypolicy, it will also remove its reference within zone pairs. It is a PITA.

3 REPLIES 3
Highlighted
VIP Advisor

Re: How to update Zone Based Firewall policy?

Hi,

You don't need to remove the policy-map in order to add a class-map. You just need to edit the policy-map, add the class-map and potentially temporarily remove/re-add a class-map until you get the order you desire. Editing the policy-map therefore won't remove the zone-pairs.

 

HTH

Highlighted
Beginner

Re: How to update Zone Based Firewall policy?

You correctly pointed out that I don't need to remove the policy-map.

 

However, in order do what I want, I still need to remove "class type inspect everything", leaving myself unprotected and also dropping traffic, add "class type inspect blacklist" and add back "class type inspect everything". This will get significantly complicated if I have more than a few classes within policy-map. Is there no way to edit the policy-map by specifying the order?

Highlighted
VIP Advisor

Re: How to update Zone Based Firewall policy?

No, not for ZBFW policy-maps that I am aware of. If you need further clarification you should log a TAC call.