Recent Notes

See 185 more →

Zone-based Policy Firewall

Created: Updated: 3 min read

Zone-based Firewall is the newer form of configuring firewall traffic control on routers.

Overview

Instead of using Role-Based CLI Access on interfaces, we will create different zones. Interfaces will be assigned to the different zones, and security policies will be assigned to traffic between zones.

Above, you see a small network that has an LAN, DMZ, and WAN with two ISPs. Let’s say our security policy looks like this:

  • Traffic from the LAN is allowed to the WAN but only to HTTP and HTTPS servers.
  • Traffic from the LAN is allowed to the DMZ unrestricted.
  • Traffic from the DMZ is not allowed to the LAN.
  • Traffic from the DMZ is allowed to the WAN but only for the DNS and HTTP servers.
  • Traffic from the WAN is allowed to the LAN but only to an FTP server.

Yes, it is possible, by creating multiple access lists and attach them to the interfaces.

With the zone-based firewall approach, we won’t apply security policies to the interfaces but to security zones. Interfaces will become members of zones.

To create a security policy for traffic between zones we have to create a zone pair. We have to configure zone pairs and apply a security policy to them to determine what traffic is permitted from one zone to another.

Configuration

There are 3 routers and two zones called LAN and WAN. We will try to configure ZBF on R2. For connectivity, we first need to create a static route on R1 and R2 that points to R2:

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2

R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2

Configure the Zones:

R2(config)#zone security LAN
R2(config)#zone security WAN

Assign the interfaces to their correspond zone:

R2(config)#interface fastEthernet 0/0
R2(config-if)#zone-member security LAN

R2(config)#interface fastEthernet 0/1 
R2(config-if)#zone-member security WAN

Verify the zone configuration:

R2#show zone security 
zone self
  Description: System defined zone

zone LAN
  Member Interfaces:
    FastEthernet0/0

zone WAN
  Member Interfaces:
    FastEthernet0/1

If everything looking fine, we can create the zone pairs:

R2(config)#zone-pair security LAN-TO-WAN source LAN destination WAN
R2(config-sec-zone-pair)#description LAN-TO-WAN TRAFFIC

R2(config)#zone-pair security WAN-TO-LAN source WAN destination LAN
R2(config-sec-zone-pair)#description WAN-TO-LAN TRAFFIC

Two zone pairs. One for traffic from our LAN to the WAN, and another for traffic from the WAN to our LAN. A description is optional but recommended if you have many zones. Let’s verify our configuration:

R2#show zone-pair security 
Zone-pair name LAN-TO-WAN
Description: LAN-TO-WAN TRAFFIC
    Source-Zone LAN  Destination-Zone WAN 
    service-policy not configured
Zone-pair name WAN-TO-LAN
Description: WAN-TO-LAN TRAFFIC
    Source-Zone WAN  Destination-Zone LAN 
    service-policy not configured

Graph View

Recent Notes

See 188 more →