Introduction:

This document describes the useful commands for troubleshooting ZBF related issues.

What is Zone Based Firewall?

Security zone: It is a group of interfaces to which a policy can be applied. By default, traffic can flow freely within that zone but all traffic to and from that zone is dropped by default. To allow traffic pass between zones, administrators must explicitly declare by creating a zone-pair and a policy for that zone. Another notice is that traffic originated from the router itself is allowed to pass freely.

Zone-pair : allows you to specify a uni-directional firewall policy between two zones. In other words, a zone-pair specifies the direction of the interesting traffic. This direction is defined by specifying a source and destination zone. Notice that we can’t defined a zone as both source and destination zone.

Zone Policy : defines what we want to allow or deny to go between zones. For example we just want to allow HTTP while dropping SMTP, ICMP… We have 3 actions “pass”, “drop” and “inspect”. The “pass” and “drop” actions are self-explanatory. The action “inspect” tell the router to use a pre-defined class-map to filter the traffic.

Prerequisites: 

1.       Router running IOS Firewall feature set image

2.       ZBF Configuration

Procedure: 

1.       Logging Commands

               ip inspect log drop-pkt     <<<< Enabling router to log dropped packets the above command is replaced by the following global parameter map that configures logging settings across the entire device

            parameter-map type inspect global

            log dropped-packets enable

               log summary flows 256 time-interval 30

    Using class specific parameter map that configures logging settings to a specific class-map

               parameter-map type inspect TCP_PARAM
               audit-trail on
               alert on
               class-map type inspect match-all TCP_CMAP
               match protocol tcp
               policy-map type inspect IN_TO_OUT_PMAP
               class type inspect TCP_CMAP
               inspect TCP_PARAM
               class class-default
               drop

2.       Show Commands

               show policy-map type inspect zone-pair zone-pair-name sessions     <<<< To check current connections

               show zone security zone-name     <<<< Show which interfaces are assigned to a zone

               show zone-pair security     <<<< Shows the interfaces and service-policy for each zone-pair

3.             Debug Commands

   Basic debug: can be run without a strong threat of the router crashing

                debug policy-firewall protocol tcp

                debug policy-firewall detail

                debug policy-firewall obj-cre

                debug policy-firewall obj-del

                debug policy-firewall events

             debug policy-firewall list <ACL_num>      <<<< use this command to filter the above debug output on the specific flow defined by ACL.

    Advanced debug: much more verbose and run a higher threat of crashing the router

             debug cce dp target detailed

                debug cce dp target detailed internal

                debug cce dp named-db detailed

                debug cce dp named-db detailed internal

                debug cce dp named-db inspect

                debug cce dp named-db inspect detail

                debug cce dp named-db inspect pak

                debug cce dp feature inspect detail <<<< 15.1 and later version

Hope this is informative. Thanks for viewing.