As mentioned in the initial post about the Zone-based Policy Firewall, the Cisco’s ZFW approach provides a much easier way of materializing the default-deny behavior that characterizes dedicated firewall appliances.
The following figure illustrates three typical situations that may happen on a ZFW environment:
- Scenario 1: the source and destination interfaces have been assigned to security zones but there is no policy definition (connecting these two zones) yet.
- Scenario 2: the source interface has not been assigned to any zone and is trying to connect to a router interface that belongs to a security zone.
- Scenario 3: only the destination interface is assigned to a security zone.
It is important to observe that all of the cases represented in the previous figure relate to implicit drops promoted by the ZFW (and not a drop condition configured inside a user-defined class-map ). This second category of drop will be dealt with in a specific post: Logging dropped packets with the Cisco Zone-based Policy Firewall.
- Zone Firewall Series: http://alexandremspmoraes.wordpress.com/tag/zone-firewall/