Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1201
Views
0
Helpful
5
Replies

Zone Based Firewall - changing rule order in policy-maps

Go to solution
mat_rouch
Level 1
Level 1

‎04-12-2013 08:11 AM - edited ‎03-11-2019 06:27 PM

I have a questions about configuring ZBF at the command line. I need to insert a new class-map into one of my policy-maps.  The new class-map needs to go at the beginning of the list.  How do I move class-maps up and down at the command line?  I've found a couple of documents that show how to do it in one or another GUI environment, but I'm not using any of those.

For reference, my config looks like this:

--------------------------------------------------------------------------------                  

policy-map type inspect inside-to-Transit-policy

class type inspect Standard-Email

  inspect

class type inspect Management-Traffic

  inspect

class type inspect interoffice-traffic-outbound

  inspect

class type inspect WB-to-ANB-traffic-outbound

  inspect

class type inspect Standard-Browsing

  inspect

--------------------------------------------------------------------------------                  

class-map type inspect match-all spiceworks-outbound

match access-group name mgmt-ip-to-spiceworks

--------------------------------------------------------------------------------                  

I need to insert "spiceworks-outbound" in the policy map "Inside-to-Transit-policyy", but it needs to appear above "Management-Traffic" in the list in order to work properly.

Thanks,

-Mat

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎04-12-2013 10:39 AM

Hello Mat_rouch,

if doing it via CLI then you will need to delete the policy-map and then re-configure it with the right order,

There should be a way to do it without this( like with a sequence number but there is none)

regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎04-12-2013 10:39 AM

Hello Mat_rouch,

if doing it via CLI then you will need to delete the policy-map and then re-configure it with the right order,

There should be a way to do it without this( like with a sequence number but there is none)

regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mat_rouch
Level 1
Level 1
In response to Julio Carvajal

‎04-15-2013 06:43 AM

OK, good to know.  One other question: I have tried using CCP to manage my ZBF, but CCP appears to only allow one dmz to be defined.  I need more than one.  Is there another free (or inexpensive) tool that would allow me to do this?  Or am I wrong about CCP only allowing one dmz?

-Mat

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mat_rouch

‎04-15-2013 09:30 AM

Hello Mat,

I think CCP only allows up to 3, I have not played that much with the guy, I just work with CLI,

Regards

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mat_rouch
Level 1
Level 1
In response to Julio Carvajal

‎04-15-2013 11:25 AM

OK, thanks for the info.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mat_rouch

‎04-15-2013 11:27 AM

Hey my pleasure,

remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card