The previous post about the Cisco Zone-based Policy Firewall (ZFW) discussed how to log connection setup and termination. The current one will focus on making information about dropped packets visible (by means of Syslog messages). The auxiliary configuration element that gets the job done is the parameter-map type inspect that has the reserved name global.
Figure 1 brings a summary of the topology and associated ZFW policy employed in the posts so far.
Figure 1: Reference topology and associated ZFW policy
Figure 2 shows how to turn on the logging of packets dropped by the Cisco Zone-based Policy Firewall. Some points to be aware of:
-
This action of logging dropped packets is disabled by default.
-
The settings inside the global parameter-map apply to all the classes and are not available as options under the default or user-defined parameter-maps (which were analyzed in the previous ZFW post).
-
When a packet is dropped by the drop action under a class, the class name is registered in the Syslog message.
-
Syslog messages that represent packets dropped as a result of the default denybehavior (which was the subject of a previous post) do not contain a class name.
Figure 2: Logging dropped packets with the Cisco Zone-based Policy Firewalls
** Topics for Study:
-
Compare the parameter-maps examined up to now: default, global and user-defined.
-
Contrast the tasks of logging connections and dropped packets in a ZFW scenario.
-
Make sure you understand the difference between class-based drops and packets dropped by the default-deny behavior of the ZFW.
-
Remember that the default and global categories of parameter-maps were introduced in Cisco IOS 15.X. Pre-15 releases used a different syntax to log dropped packets.
** Related Posts:
- Zone Firewall Series: https://alexandremspmoraes.wordpress.com/tag/zone-firewall/
Alexandre M. S. P. Moraes 