03-23-2011 04:20 PM - edited 03-11-2019 01:11 PM
Hi
I'm currently using classic CBAC/inspect FW configuration on my 1801 router. I would like to implement a ZFW config. ZWF is new to me, I've read "Zone-Based Policy Firewall Design and Application Guide" & am a bit confused.
The following questions arise:
1. In the above guide on pg 19 (bottom) it states "HTTP Application Inspection (similar to other types of Application Inspection) can only be applied to HTTP traffic.Thus, you must define Layer 7 class-maps and policy-maps for specific HTTP traffic, then define a Layer-4 class-map specifically for HTTP, and apply the Layer-7 policy to HTTP inspection in a Layer-4 policy-map".
What isconfusing is that several L7 configuration examples are very different. One shows only L7 cmap & pmap (example pg.13).Another example shows a config with an L7 cmap/pmap, with a L4 cmap/pmap defined (exmaple pg 19). Please help clarify.
2. Are all the ZFW parameters such as DoS protection, TCP connection/UDP session timers, and audit-trail logging settings that I want to use put into one (1) large policy parameter map? If so would someone be able to help reoganzie a parameter map based on my "ZFW config" doc.
3. Where can I find the syntax for the following:tcp/udp fin & synwait times, inspect reassembly queue length, idle time tcp/udp
4. Prior to loading new ZFW config, does CBAC have be unloaded? what is command?
My goal is to implement my current CBAC/inspect swttings (see attached config) in the ZFW & lock down the router further if possible.
My requirements are:
1. implement L7 inspection on the following protocols: HTTP/HTTPS/ESMPT/SMTP/POP3/DNS
2. implement current CBAC/inspect settings if possible and tighten secutiy further if possible.
I've put together a draft ZFW config that is probably full of configuration & syntax errors. I would appreciate if some of the FW experts might be able to help me develop a working ZFW config.
Many thanks in advance.
Regards
Mike
04-09-2011 04:12 PM
Pls. follow this link.
https://supportforums.cisco.com/docs/DOC-8028
You may not be doing Trend content filtering but, it certainly goes over how to configure L7 inspection.
It also has parameter map configuration sample.
Removing old cbac command
sh run | i inspect
sh run int e0/0
if you have any ip inspect commands configured you can remove them from the global configuration as well as interface configuration.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide