Hi

I'm currently using classic CBAC/inspect FW configuration on my 1801 router. I would like to implement a ZFW config. ZWF is new to me, I've read "Zone-Based Policy Firewall Design and Application Guide" & am a bit confused.

The following questions arise:

1. In the above guide on pg 19 (bottom) it states "HTTP Application Inspection (similar to other types of Application Inspection) can only be applied to HTTP traffic.Thus, you must define Layer 7 class-maps and policy-maps for specific HTTP traffic, then define a Layer-4 class-map specifically for HTTP, and apply the Layer-7 policy to HTTP inspection in a Layer-4 policy-map".

What isconfusing is that several L7 configuration examples are very different. One shows only L7 cmap & pmap (example pg.13).Another example shows a config with an L7 cmap/pmap, with a L4 cmap/pmap defined (exmaple pg 19). Please help clarify.  

2. Are all the ZFW parameters such as DoS protection, TCP connection/UDP session timers, and audit-trail logging settings that I want to use put into one (1) large policy parameter map? If so would someone be able to help reoganzie a parameter map based on my "ZFW config" doc.

3. Where can I find the syntax for the following:tcp/udp fin & synwait times, inspect reassembly queue length, idle time tcp/udp

4. Prior to loading new ZFW config, does CBAC have be unloaded? what is command?

My goal is to implement my current CBAC/inspect swttings (see attached config) in the ZFW & lock down the router further if possible.

My requirements are:

1. implement L7 inspection on the following protocols: HTTP/HTTPS/ESMPT/SMTP/POP3/DNS
2. implement current CBAC/inspect settings if possible and tighten secutiy further if possible.

I've put together a draft ZFW config that is probably full of configuration & syntax errors. I would appreciate if some of the FW experts might be able to help me develop a working ZFW config.
Many thanks in advance.

Regards

Mike