Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Zone-Based Policy Firewall
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/12-4t/sec-data-zbf-12-4t-book.html
To configure the Zone Based FW, the approach is somewhat similar to the MQC method in the QoS configuration.
STEP 1> Start by creating a class map of INSPECT TYPE, and match HTTP, and DROP everything else:
(config)#class-map type inspect match-any OUTSIDE
(config-cmap)#match protocol http
(config-pmap)#class type inspect OUTSIDE
(config-pmap-c)#drop
STEP 2> Create a inspect type POLICY-MAP that matches the defined CLASS-MAP, and INSPECTS:
(config)#policy-map type inspect OUTSIDE_POLICY
(config-pmap)#class OUTSIDE
(config-pmap-c)#inspect ?
WORD Parameter-map (inspect) name <PARAMETER MAP CAN BE DEFINED to tune the inspection
<cr>
(config-pmap-c)#inspect
STEP 3> Define the SECURITY ZONES for the interfaces you need, and assign them to the interfaces:
(config)#zone security DMZ
(config-if)#zone-member security DMZ
(config)#zone security OUTSIDE
(config-if)#zone-member security OUTSIDE
STEP 4> Set the POLICIES between each ZONE PAIR:
(config)#zone-pair security OUT-to-DMZ source OUTSIDE destination DMZ
(config-sec-zone-pair)#service-policy type inspect OUTSIDE_POLICY
#show policy-map type inspect zone-pair session
policy exists on zp OUT-to-DMZ
Zone-pair: OUT-to-DMZ
Service-policy inspect : OUTSIDE_POLICY
Class-map: INSIDE (match-any)
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
PARAMETER MAP can be created to tune to drop logs, handle alarms, max&min session numbers and much more, for example:
(config)# parameter-map type inspect eng-network-profile
(config-profile)# tcp synwait-time 3 <-HOW LONG TO WAIT FOR SYN FOR THE TCP SESSION
Most Popular Posts
-
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distribut... -
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and b...
-
[In collaboration with the guest blogger, Marc Espinosa ] Let's start with the messaging protocols, MQTT and CoAP, and consider which ... -
By know you should know the following facts about ACI: Cisco Nexus 9k Switches make the ACI Fabric, which is the Control and the Data pla... -
Get ready to have your mind blown. One of the easiest procedures I've encountered. You just need to follow these 3 steps, to migrate the...
-
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto N...
-
First time we “unpack” ACI, we will find a certain number of potential Spine and potential Leaf switches, and hopefully 3 (or 5) APIC Contro...
-
Google has made their Cloud Platform (GCP) so that you can host your application any way your business requires. When we talk about the ... -
Narbik Topology for web-iou Disclaimer: I DON’T OWN NOR HAVE AN ACCESS TO THE TOPOLOGY, INITIAL CONFIGS, IOU/IOL BINARIES OR ANY OTHER ... -
Before I get into the Python for NX-OS, let me explain a few concepts that I've seen Network Engineers have been struggling with. Dev...
No comments:
Post a Comment