Advanced Zone-based Firewall Configuration
The advanced configuration of zone based firewalls, while not hard, can be confusing to understand without proper perspective of what is possible. While my previous article, “Basic Zone-Based Firewall Configuration” reviewed the steps required for configuring a basic zone based firewall, it did not review all of the capabilities of the feature. The zone based firewall feature is not just restricted to matching and applying policy to traffic based on layer 3/4 criteria. It also has application inspection and control (AIC) capability that enables deeper packet inspection; this provides the capability to apply policy based on layer 5 through 7 criteria.
It is important to understand the basic configuration of the zone-based firewall as the more advanced capabilities like URL filtering and HTTP inspection are configured by being nested inside an existing layer 3/4 policy. For example, all HTTP traffic could be matched and then be configured to be inspected by the stateful packet engine; it is only after this is already configured that these additional capabilities can be used. Because of this overlap, a primer section has been included.
This article adds to the concepts and configuration covered in the “Basic Zone-Based Firewall Fundamentals” and “Basic Zone Based Firewall Configuration” articles. Some of these are covered in this section.
As was covered in the other two articles, a zone based firewall configuration requires knowledge of a zone and a zone-pair. A zone (or security zone) is created for each part of the network that has an access/traffic control policy, the common ones being a private zone for inside the organizational network and a public zone for the Internet. A zone-pair is used to link different zones together and to apply policies between the two linked zones; these zone-pairs are unidirectional.
A zone-based firewall configuration is implemented on Cisco equipment through the Cisco Common Classification Policy Language (C3PL) that closely resembles the Modular QoS CLI (MQC) structure. This configuration requires that the traffic subject to a policy be matched using a class-map which is in turn used inside a policy-map statement to link that traffic with a specific policy; this policy-map is then applied to a specific zone-pair using the service-policy command. The more advanced policy options are configured using C3PL as well, after an existing basic configuration has been completed.