ZPF Configuration

Zone-based Policy Firewalls (ZPF) - The new configuration mode in which interfaces are assigned to security zones, and firewall policy is applied to traffic moving between the zones.

Configure ZPF

Steps:

Create the zones.
Identify traffic with a class map.
Define an action with a policy-map.
Identify a zone pair and match it to a policy map.
Assign zones to the appropriate interface.

1. Create Zones

zone security <zone-name>

2. Identify Traffic

class-map type inspect [match-any|match-all] <class-map-name>

class-map <name>
  match access-group {acl#|acl-name}
  match protocol <protocol-name>
  match class-map <class-map-name>

Example:

class-map type inspect match-any HTTP-TRAFFIC
  match protocol http
  match protocol https
  match protocol dns
exit

3. Define an Action

policy-map inspect <policy-map-name>
  class type inspect <class-map-name>
    {inspect|drop|pass}

inspect - This action offers state-based traffic control. For example, if traffic traveling from the PRIVATE zone to the PUBLIC zone is inspected, the router maintains connection or session information for TCP and UDP traffic. The router would then permit return traffic sent from PUBLIC zone hosts in reply to PRIVATE zone connection requests.
drop - This is the default action for all traffic. Similar to the implicit deny any at the end of every ACL, there is an explicit drop applied by the IOS to the end of every policy−map. It is listed as class class-default in the last section of any policy-map configuration. Other class−maps within a policy−map can also be configured to drop unwanted traffic. Unlike ACLs, traffic is silently dropped, and no ICMP unreachable messages are sent to the source of the traffic.
pass - This action allows the router to forward traffic from one zone to another. The pass action does not track the state of connections. Pass only allows the traffic in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction. The pass action is ideal for secure protocols with predictable behavior, such as IPsec. However, most application traffic is better handled in the ZPF with the inspect action.

Example:

policy-map type inspec PRIV-TO-PUB-POLICY
  class type inspect HTTP-TRAFFIC
    inspect

4. Identify a Zone-Pair and Match to a Policy

zone-pair security <zone-pair-name> \
  source {<source-zone-name>|self} \
  destination {<destination-zone-name>|self}

  service-policy type inspect <policy-map-name>

Example of a zone-pair configuration. A zone-pair named PRIV-PUB is created with PRIVATE assigned as the source zone and PUBLIC assigned as the destination zone. Then the policy-map created in the previous step is associated to the zone-pair.

zone-pair security PRIV-PUB source PRIVATE destination PUBLIC
  service-policy type inspect PRIV-TO-PUB-POLICY

5. Assign Zones to Interfaces

Example:

interface g0/0
  zone-member security PRIVATE
  interface s0/0/0
  zone-member security PUBLIC

Verify ZPF Configurations

show policy-map type inspect zone-pair sessions

show class-map type inspect
show zone security
show zone-pair security
show policy-map type inspect

Important Features of Zone-Based Policy Firewalls

No filtering is applied for intra-zone traffic.
Only one zone is allowed per interface.
No Classic Firewall and Zone-Based Policy Firewall configuration on same interface.
If only one zone member is assigned, all traffic is dropped.
Only explicitly allowed traffic is forwarded between zones.
Traffic to the self zone is not filtered.