Date post: | 05-Jul-2018 |
Category: |
Documents |
Upload: | faysal-bensalah |
View: | 223 times |
Download: | 0 times |
of 68
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
1/68
BRKCRT-2006
CCNA-Security/CCSP: Cisco IOS Zone-BasedPolicy Firewall Overview
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
2/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 2
Zone-Based Policy Firewall
ZFW (aka Zone-Policy Firewall, ZBP, and ZFP)
Covered in IINS (CCNA Security)
Covered in SNRS (CCSP), more depth
Covered in CCIE R&S Lab Exam
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
3/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 3
Agenda
Overview of ZFW Operations
ZFW CLI Configurations
Cisco Configuration Professional (CCP) Demoon ZFW
Sample ZFW Exam Items
Demo on How to Use Packet Tracer (PT) ZFW Lab
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
4/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 4
In the Beginning… ACLs
Early firewalls were ACLs configured on routers to restrict
traffic, providing initial access policy
UntrustedTrusted Internet
# access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
5/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 5
Then… Cisco IOS Classic FirewallThe next generation of firewalls, such as Cisco IOS ClassicFirewall (formerly CBAC), offered interface-based firewall
servicesTraffic entering or leaving an interface is inspected for serviceconformance; if traffic matches the requirements, the return traffic isallowed back through the firewall
UntrustedTrusted Internet
# ip inspect name inspection-name protocol # access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard # ip inspect inspection-name {in | out}
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
6/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 6
Cisco IOS ZFW
ZFW Introduces a New Firewall Configuration Model:
Allows grouping of physical and virtual interfaces into zones
Applies unidirectional policies between zones, not interfaces
Simple to add or remove interfaces, integrating them into afirewall policy
Default policy for inter-zone traffic is DENY ALL
Requires Cisco IOS version 12.4(6)T or later
DMZ
PublicPrivate
Private-PublicPolicy
Public-DMZPolicy
Private-DMZPolicy
Internet
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
7/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 7
Benefits of Cisco IOS ZFW
A ZFW is not dependant on ACLs
The security posture is block unlessexplicitly allowed
Cisco Policy Language (CPL; aka Cisco Common
Classification Policy Language, C3PL) makespolicies easy to read and troubleshoot
One policy may be applied to any given trafficrather than requiring multiple ACLs andinspection actions
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
8/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 8
Security Zones
Interfaces in two different zones: traffic will not flow betweenthe interfaces until a policy is defined to allowthe traffic
E1 will not flow to S3
Interfaces not in zones: traffic will flow between them
E2 will flow to S4
Interfaces in a zone communicating to interfaces not in azone: traffic will not flow between them
E1 will not flow to S4
E0
E1
E2
S3ZonePrivate
ZonePublic
S4 not in anysecurityzones
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
9/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 9
Zoning RulesSource Interface
(zone member?)
Dest. Interface
(zone member?)
Zone-pair
(exists?)
CPL Policy
(exists?)
Result
NO NO N/A N/A PASS
YES NO N/A N/A DROP
NO YES N/A N/A DROP
YES (Private ) YES (Private ) N/A N/A No CPL actions
YES (Private ) YES (Public ) NO N/A DROP
YES (Private ) YES (Public ) YES NO DROP
YES (Private ) YES (Public ) YES YES CPL actions
A zone-pair requires different zones as source and destination.
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
10/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 10
Zoning Rules (Cont.)Source Interface
(zone member?)
Dest. Interface
(zone member?)
Zone-pair
(exists?)
CPL Policy
(exists?)
Result
YES (self-zone ) YES NO - PASS
YES (self-zone ) YES YES NO PASS
YES (self-zone ) YES YES YES CPL actions
YES YES (self-zone ) NO - PASS
YES YES (self-zone ) YES NO PASS
YES YES (self-zone ) YES YES CPL actions
Router IP addresses default to the self-zone.
The self-zone is a deny-all policy exception, traffic is allowed until denied.
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
11/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 11
Steps to Configure a ZFW Firewall
1. Define zones2. Define class−maps that describe traffic that must have
policy applied as it crosses a zone−pair
3. Define policy−
maps to apply action to yourclass−maps traffic
4. Define zone−pairs5. Apply policy−maps to zone−pairs
6. Assign interfaces to zones
DMZ
PublicPrivate
Private-Public
Policy
Public-DMZPolicy
Private-DMZPolicy
Internet
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
12/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 12
Configuring ZFW Security Zones
Define Security Zones and Zone-Pairs:
Identify interfaces that share security parameters,
group them into security zones
Determine traffic flow requirements between zones
Fa0/0
Fa0/1
Serial0/0/0
DMZZone
Public
Zone
PrivateZone
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
13/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 13
zone security private
zone security public
Security Zone Configuration Example
PublicZone
PrivateZone Internet
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
14/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 14
Steps to Configure a ZFW Firewall
1. Define zones2. Define class−−−−maps that describe traffic that must have
policy applied as it crosses a zone−−−−pair
3. Define policy−
maps to apply action to yourclass−maps traffic
4. Define zone−pairs5. Apply policy−maps to zone−pairs
6. Assign interfaces to zones
DMZ
PublicPrivate
Private-Public
Policy
Public-DMZPolicy
Private-DMZPolicy
Internet
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
15/68
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
16/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 16
Configuring ZFW Class-Maps (Cont.)
Combining Match Criteria: Match−Any versus
Match−
AllClass−maps can apply match−any or match−all operatorsto determine how to apply the match criteria
match−any —traffic must meet only one of the match
criteria in the class−
map (default)match−all —traffic must match all of the class−map’scriteria in order to belong to that particular class
Match criteria must be applied in order from more specific
to less specific, if traffic meets multiple criteria
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
17/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 17
Class-Maps Configuration Example
class-map type inspect match-any telnet-protocol
match protocol telnet
PublicZone
PrivateZone Internet
Telnet
Telnet return traffic
Any other traffic
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
18/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 18
Steps to Configure a ZFW Firewall
1. Define zones2. Define class−maps that describe traffic that must have
policy applied as it crosses a zone−pair
3. Define policy−−−−
maps to apply action to yourclass−−−−maps traffic
4. Define zone−pairs5. Apply policy−maps to zone−pairs
6. Assign interfaces to zones
DMZ
PublicPrivate
Private-Public
Policy
Public-DMZPolicy
Private-DMZPolicy
Internet
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
19/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 19
Configuring ZFW Policy-Maps
Policy−maps apply actions to class−maps and
define the service−
policy that will be applied to asecurity zone−pair
ZFW provides three actions for inter-zone traffic:
Drop —discards unwanted traffic. Also, the default action as
applied by the class class−−−−
default that terminates everyinspect−type policy−map.
Pass —a stateless action the allows the router to forwardtraffic from one zone to another
Inspect —an action that offers state−
based traffic control.The router maintains session information for TCP and UDPand permits return traffic.
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
20/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 20
Policy-Maps Configuration Example
policy-map type inspect private-to-public-policy
class type inspect telnet-protocol
inspect
PublicZone
PrivateZone Internet
TelnetInspect
Telnet return traffic
Any other traffic
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
21/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 21
Steps to Configure a ZFW Firewall
1. Define zones2. Define class−maps that describe traffic that must have
policy applied as it crosses a zone−pair
3. Define policy−
maps to apply action to yourclass−maps traffic
4. Define zone−−−−pairs5. Apply policy−−−−maps to zone−−−−pairs
6. Assign interfaces to zones
DMZ
PublicPrivate
Private-Public
Policy
Public-DMZPolicy
Private-DMZPolicy
Internet
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
22/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 22
Configuring ZFW Security Zones
Define Security Zone-Pairs:
Establish zone-pairs for inter-zone traffic
Fa0/0
Fa0/1
Serial0/0/0
DMZZone
Public
Zone
PrivateZone
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
23/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 23
Apply ZFW Policy-Maps to Zone-Pairs
Use the service-policy type inspect command toattach a policy-map and its associated actions to azone-pair
Enter the command after entering the zone-pairsecurity command
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
24/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 24
zone-pair security private-public source private destination public
service-policy type inspect private-to-public-policy
Zone-Pair with Policy-Map
Configuration Example
Zone-Pair: Private-Public
PublicZone
PrivateZone Internet
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
25/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 25
Steps to Configure a ZFW Firewall
1. Define zones2. Define class−maps that describe traffic that must have
policy applied as it crosses a zone−pair
3. Define policy−
maps to apply action to yourclass−maps traffic
4. Define zone−pairs5. Apply policy−maps to zone−pairs6. Assign interfaces to zones
DMZ
PublicPrivate
Private-Public
Policy
Public-DMZPolicy
Private-DMZPolicy
Internet
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
26/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 26
Apply Interfaces to Zones
All traffic to and from an interface in a security zoneis dropped by default (exception is self-zone)
To permit traffic, the zone that an interfacebelongs to must be part of a zone-pair with anapplied policy
If the policy permits traffic (via inspect or passactions), traffic can flow through the interface
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
27/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 27
interface FastEthernet 0/0
zone-member security private
!
interface Serial 0/0/0
zone-member security public
Zone-Member Configuration Example
Zone-Pair: Private-Public
PublicZone
PrivateZone
Fa0/0
Serial0/0/0
Internet
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
28/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 28
Basic ZFW Configuration
PublicZone
PrivateZone
Fa0/0
Serial0/0/0
Internet
Telnet
Inspect
Telnet return traffic
Any other traffic
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
29/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 29
class-map type inspect match-any telnet-protocol
match protocol telnet
!
policy-map type inspect private-to-public-policyclass type inspect telnet-protocol
inspect
!
zone security private
zone security public
!interface FastEthernet 0/0
zone-member security private
!
interface Serial 0/0/0
zone-member security public
!
zone-pair security private-to-public source private destination public
service-policy type inspect private-to-public-policy
Basic ZFW Configuration (Cont.)
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
30/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 30
ZFW VerificationR1# show policy-map type inspect zone-pair sessions
policy exists on zp private-to-public
Zone-pair: private-to-public
Service-policy inspect : private-to-public-policy
Class-map: telnet-protocol (match-any)
Match: protocol telnet
1 packets, 28 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 1
Established Sessions
Session 656986C0 (192.168.10.2:1051)=>(10.1.1.2:23) telnet:tcp SIS_OPEN
Created 00:03:18, Last heard 00:00:10
Bytes sent (initiator:responder) [92:2727]
Class-map: class-default (match-any)
Match: any
Drop
6 packets, 1275 bytes
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
31/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 31
Other Verifications Commands
show class-map type inspect [protocol-name ] [class-map-name ]
show zone security [zone-name ]
show zone-pair security [source source-zone-name ] [destinationdestination-zone-name ]
show policy-map type inspect [policy-map-name ]
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
32/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 32
Review ZFW Class-Maps
class-map type inspect match-any insp-traffic
match protocol ftp
match protocol http
match protocol icmp
match protocol tcp
policy-map type inspect mypolicy
class type inspect insp-traffic
inspect
zone-pair security in-out source in-zone destination out-zone
service-policy type inspect mypolicy
Order of match statements important
Classification exits on first match
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
33/68
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
34/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 34
Overview of ZFW Parameter-Maps
Parameter−maps specify inspection behaviorfor ZFW
Parameters include connecting thresholds,timeouts, and other elements pertaining to theinspect action
Examples of use include DoS protection, TCPconnection/UDP session timers, and audit−traillogging settings
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
35/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 35
Overview of ZFW
Parameter-Maps (Cont.)
Verification:
show parameter-map type inspect [default]
class-map type inspect match-all inspect-traffic
match protocol tcp
parameter-map type inspect insp-params
audit-trail on
tcp synwait-time 10
policy-map type inspect mypolicy
class type inspect inspect-traffic
inspect insp-params
zone-pair security in-out source in-zone dest out-zone
service-policy type inspect mypolicy
Parameters for
inspection
Inspect action with
specified parameters
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
36/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 36
ZFW Application Inspection
Application inspection policies are applied at layer 7of the OSI model
Applications may offer undesired capabilities orvulnerabilities. Messages associated with thesecapabilities can be filtered.
Application inspection and control (AIC) varies incapability per service
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
37/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 37
Configuring ZFW AIC
AIC is configured as an additional set ofapplication−specific class−maps and policy−maps(aka L7)
AIC is then applied to existing inspectionclass−maps and policy−maps by defining the
application service-policy in the inspectionpolicy−map (aka L3/4)
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
38/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 38
class−−−− map type inspect http match−−−−any http−−−−aic−−−−cmap
match request port−−−− misuse any
match req −−−−resp protocol−−−−violation
policy−−−− map type inspect http http
−−−−aic
−−−− pmap
class type insp http http−−−−aic−−−−cmap
reset
log
class−−−− map type inspect match−−−−any http−−−−cmap
match protocol http
class−−−− map type inspect match−−−−any other−−−−traffic−−−−cmap
match protocol smtp
match protocol dns
match protocol ftp
policy−−−− map type inspect priv−−−− pub−−−− pmap
class type inspect http−−−−cmap
inspect
service−−−− policy http http
−−−−aic
−−−− pmap
class type inspect other−−−−traffic−−−−cmap
inspect
ZFW HTTP AIC Example
Configure the actions thatare not permitted.
Define actions to be appliedto unwanted traffic.
Define class−map for statefulhttp inspection.
Define class−map for statefulinspection for other traffic
Define policy−map, associate
class−
maps and actions.
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
39/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 39
CCP ZFW Demo
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
40/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 40
CCP ZFW Instructor Democlass-map type inspect match-all telnet-classmatch protocol telnet
!
policy-map type inspect private-to-internet
class type inspect telnet-class
inspect
!zone security private
zone security internet
!
interface Vlan1
description inside interface
ip address 10.10.10.1 255.255.255.0
zone-member security private
ip nat inside
no shut
!
interface FastEthernet4
description outside interface
ip address dhcp
zone-member security internet
ip nat outsideno shut
!
zone-pair security private-to-internet source private destination internet
service-policy type inspect private-to-internet
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
41/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 41
CCP ZFW Instructor Demo—Zones
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
42/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 42
CCP ZFW Instructor Demo—Zone Pairs
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
43/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 43
CCP ZFW Instructor Demo—Class Map
CCP ZFW I t t D
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
44/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 44
CCP ZFW Instructor Demo—
Policy Map
CCP ZFW I t t D
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
45/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 45
CCP ZFW Instructor Demo—
Edit Firewall Policy
CCP ZFW Instructor Demo
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
46/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 46
CCP ZFW Instructor Demo—
Edit Firewall Policy
Permit Firewall = Inspect
Permit ACL = Pass
CCP ZFW Instructor Demo
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
47/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 47
CCP ZFW Instructor Demo—
Add Zone Policy
CCP ZFW Instructor Demo
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
48/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 48
CCP ZFW Instructor Demo—
Add Zone Policy
CCP ZFW Instructor Demo
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
49/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 49
CCP ZFW Instructor Demo—
Add Zone PolicyResulting CLI Commands Preview
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
50/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 50
CCP ZFW Instructor Demo—Wizards
no dmz
dmz
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
51/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 51
ZFW Exam Item Samples
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
52/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 52
ZFW Exam Items: Sample 1
Which three actions can be configured within aL3/L4 type inspect policy-map? (choose three)
A. PassB. LogC. Inspect
D. ResetE. DropF. Permit
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
53/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 53
What’s wrong with the following ZFW configuration?
class-map type inspect match-all testclass match protocol telnet
match protocol http match access-group 101!
policy-map type inspect private-to-internet-policyclass type inspect testclass pass!
zone security privatezone security internet!interface fastethernet 0/0zone-member security private!interface fastethernet 0/1
zone-member security internet!zone-pair security private-to-internet source private destination internetservice-policy type inspect private-to-internet-policy!
ZFW Exam Items: Sample 2
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
54/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 54
ZFW Exam Items: Sample 3
Where is the Application (L7) InspectPolicy applied?
A. Within the L3/L4 type inspect class-mapB. Within the L3/L4 type inspect policy-mapC. Within the security zone-pair
D. Within each security zone
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
55/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 55
ZFW Exam Items: Sample 4Based on the SDM screen shown:
1. What is the name of the policy-map applied for traffic moving from the in-zone to theout-zone?
2. What will happen to all the traffic moving from the in-zone to the out-zone that is notmatched by any of the class-maps within the applied policy-map?
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
56/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 56
ZFW Packet Tracer Demo
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
57/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 57
ZFW Packet Tracer Lab Demo
ZFW
IN-ZONE OUT-ZONE
Instructions for downloading Packet Tracer will be provided during the session.
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
58/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 58
PT Device Access—PC
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
59/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 59
PT Device Access—PC Desktop
PT Device Access—
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
60/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 60
PC Desktop Web Broswer
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
61/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 61
PT Device Access—Router
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
62/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 62
PT Device Access—Router Config
PT D i A R CLI
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
63/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 63
PT Device Access—Router CLI
P k t T D l d
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
64/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 64
Packet Tracer Download
https://pt.netacad.net/downloads/pt/PacketTracer53_ BRKCRT-2006_setup.exe
username: ptuser
password: got_52yet?
S ti S i
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
65/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 65
Supporting Sessions
BRKSEC-2007: Deploying Cisco IOS Security
LTRSEC-2007: Cisco IOS Security Features
BRKSEC-3007: Advanced Cisco IOS SecurityFeatures
BRKCRT-2062: CCSP: Securing Networks with
ASA Fundamentals for CCNA Security and CCSPprep...
BRKSEC-2020: Firewall Design and Deployment
(Focuses on ASA/FWSM implementations)
BRKSEC-3020: Advanced Firewalls
(Focuses on ASA/FWSM implementations)
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
66/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 66
Q&A
Complete Your OnlineSession Evaluation
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
67/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 67
Session Evaluation
Give us your feedback and youcould win fabulous prizes.Winners announced daily.
Receive 20 Cisco PreferredAccess points for each sessionevaluation you complete.
Complete your sessionevaluation online now (open abrowser through our wirelessnetwork to access our portal)or visit one of the Internetstations throughout the
Convention Center.
Don’t forget to activate your
Cisco Live and Networkers Virtual
account for access to all sessionmaterials, communities, and on-demandand live activities throughout the year.Activate your account at any internetstation or visit www.ciscolivevirtual.com.
8/16/2019 Cisco IOS Zone-Based Policy Firewall Overview
68/68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKCRT-2006_c1 68