Zone Based Firewall Management using PRIME Infrastructure

usomeshwar · ‎02-14-2019

Hello Folks,

We are using Prime Infrastructure 3.5 to create Zone Based Firewall policies to be managed on ISR 4451s. Attached are screenshots (screenshot 1 and 2) of the defined object groups and the policy from PI using these object groups:

When I look at deploying this to the ISR, in the CLI config I see ACLs created for service policy using the IPs instead of the object-groups as defined in the policy template:

ip access-list standard EMS_INSIDE_to_OUTSIDE_1_src
permit 25.248.98.128 0.0.0.63
class-map type inspect match-any EMS_INSIDE_to_OUTSIDE_1_srvc
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all INSIDE_to_OUTSIDE_1
match access-group name EMS_INSIDE_to_OUTSIDE_1_src
match class-map EMS_INSIDE_to_OUTSIDE_1_srvc
ip access-list standard EMS_INSIDE_to_OUTSIDE_2_src
permit 25.248.96.0 0.0.0.63
class-map type inspect match-any EMS_INSIDE_to_OUTSIDE_2_srvc
match protocol https
match protocol http
class-map type inspect match-all INSIDE_to_OUTSIDE_2
match access-group name EMS_INSIDE_to_OUTSIDE_2_src
match class-map EMS_INSIDE_to_OUTSIDE_2_srvc
ip access-list standard EMS_INSIDE_to_OUTSIDE_3_src
permit 25.248.96.64 0.0.0.63
class-map type inspect match-all INSIDE_to_OUTSIDE_3
match access-group name EMS_INSIDE_to_OUTSIDE_3_src
match protocol smtp
ip access-list extended EMS_INSIDE_to_OUTSIDE_4_src_dest
permit ip 192.168.0.0 0.0.0.255 host 199.27.117.35
class-map type inspect match-all INSIDE_to_OUTSIDE_4
match access-group name EMS_INSIDE_to_OUTSIDE_4_src_dest
match protocol https
ip access-list standard EMS_INSIDE_to_OUTSIDE_5_src
permit 192.168.0.0 0.0.0.255
class-map type inspect match-all INSIDE_to_OUTSIDE_5
match access-group name EMS_INSIDE_to_OUTSIDE_5_src
match protocol ntp
ip access-list standard EMS_INSIDE_to_OUTSIDE_6_src
permit 25.248.96.0 0.0.0.63
ip access-list extended EMS_INSIDE_to_OUTSIDE_6_l4
permit icmp any any
class-map type inspect match-all INSIDE_to_OUTSIDE_6
match access-group name EMS_INSIDE_to_OUTSIDE_6_src
match access-group name EMS_INSIDE_to_OUTSIDE_6_l4
ip access-list standard EMS_INSIDE_to_OUTSIDE_7_src
permit 25.248.97.16 0.0.0.15
ip access-list extended EMS_INSIDE_to_OUTSIDE_7_l4
permit tcp any any
permit udp any any
permit icmp any any
class-map type inspect match-all INSIDE_to_OUTSIDE_7
match access-group name EMS_INSIDE_to_OUTSIDE_7_src
match access-group name EMS_INSIDE_to_OUTSIDE_7_l4

policy-map type inspect EMS_INSIDE__OUTSIDE
class type inspect INSIDE_to_OUTSIDE_1
inspect
class type inspect INSIDE_to_OUTSIDE_2
inspect
class type inspect INSIDE_to_OUTSIDE_3
inspect
class type inspect INSIDE_to_OUTSIDE_4
inspect
class type inspect INSIDE_to_OUTSIDE_5
inspect
class type inspect INSIDE_to_OUTSIDE_6
inspect
class type inspect INSIDE_to_OUTSIDE_7
inspect
class class-default
drop log

I was looking at some tutorials online (http://www.labminutes.com/rs00100_prime_31_device_configuration_zbfw_2) and I see that the CLI in those is created with object groups (screenshot 3).

I would like to understand how to enable to get the ZBF to be deployed using object-groups as that will make the CLI easy to troubleshoot and manage.