This document describes the useful commands for troubleshooting ZBF related issues.
What is Zone Based Firewall?
Security zone: It is a group of interfaces to which a policy can be applied. By default, traffic can flow freely within that zone but all traffic to and from that zone is dropped by default. To allow traffic pass between zones, administrators must explicitly declare by creating a zone-pair and a policy for that zone. Another notice is that traffic originated from the router itself is allowed to pass freely.
Zone-pair : allows you to specify a uni-directional firewall policy between two zones. In other words, a zone-pair specifies the direction of the interesting traffic. This direction is defined by specifying a source and destination zone. Notice that we can’t defined a zone as both source and destination zone.
Zone Policy : defines what we want to allow or deny to go between zones. For example we just want to allow HTTP while dropping SMTP, ICMP… We have 3 actions “pass”, “drop” and “inspect”. The “pass” and “drop” actions are self-explanatory. The action “inspect” tell the router to use a pre-defined class-map to filter the traffic.
1.Router running IOS Firewall feature set image
ip inspect log drop-pkt <<<< Enabling router to log dropped packets the above command is replaced by the following global parameter map that configures logging settings across the entire device
parameter-map type inspect global
log dropped-packets enable
log summary flows 256 time-interval 30
Using class specific parameter map that configures logging settings to a specific class-map
parameter-map type inspect TCP_PARAM audit-trail on alert on class-map type inspect match-all TCP_CMAP match protocol tcp policy-map type inspect IN_TO_OUT_PMAP class type inspect TCP_CMAP inspect TCP_PARAM class class-default drop
show policy-map type inspect zone-pair zone-pair-name sessions <<<< To check current connections
show zone security zone-name <<<< Show which interfaces are assigned to a zone
show zone-pair security <<<< Shows the interfaces and service-policy for each zone-pair
Basic debug: can be run without a strong threat of the router crashing
debug policy-firewall protocol tcp
debug policy-firewall detail
debug policy-firewall obj-cre
debug policy-firewall obj-del
debug policy-firewall events
debug policy-firewall list <ACL_num> <<<< use this command to filter the above debug output on the specific flow defined by ACL.
Advanced debug: much more verbose and run a higher threat of crashing the router
debug cce dp target detailed
debug cce dp target detailed internal
debug cce dp named-db detailed
debug cce dp named-db detailed internal
debug cce dp named-db inspect
debug cce dp named-db inspect detail
debug cce dp named-db inspect pak
debug cce dp feature inspect detail <<<< 15.1 and later version
Hi, Thanks in advanced for your time. I am trying to configure a CSR1000v in AWS to have 2 customer side VRFs (VRF 70 and 71) and route based VPNs tied to each VRF. There is a remote gateway terminating the tunnels (it can handle the...
Hello, I would like to know if it's possible to obtain the serial numbers of ASAs through Cisco CSM, I ask this because our office has 200 firewalls managed by CSM and this labor is complicated when accessing one by one.CSM version: 4.20.0 Thank...
Hi guys,I am replacing my ASR 1001 with ASR 1001-x, however the crypto isakmp command doesn't seem to work. When i type crypto ? i do not get isakmp in the options, therefore can't go ahead with the getvpn configurations, can anyone help me here? Tha...
Guys, this should be a simple problem, if I could just find the right documentation!I have a Meraki MX67, with a site-to-site VPN linking to a hub Meraki MX84 HA pair. I have client PCs successfully doing IEEE802.1x authentication on the MX67, using an IS...
I have a ISE environment witch is integrated with AD. I inherited this from 2 past engineers. This being said there are many sites that are attached and use different AD groups to add and remove permisions to different types of network appliances. Is ther...