Zone Policy Firewall: Understanding the default deny behavior

As mentioned in the initial post about the Zone-based Policy Firewall, the Cisco’s ZFW approach provides a much easier way of materializing the default-deny behavior that characterizes dedicated firewall appliances.

The following figure illustrates three typical situations that may happen on a ZFW environment:

  • Scenario 1: the source and destination interfaces have been assigned to security zones but there is no policy definition (connecting these two zones) yet.
  • Scenario 2: the source interface has not been assigned to any zone and is trying to connect to a router interface that belongs to a security zone.
  • Scenario 3: only the destination interface is assigned to a security zone.
Sample scenarios with default-deny behavior on the ZFW

It is important to observe that all of the cases represented in the previous figure relate to implicit drops promoted by the ZFW (and not a drop condition configured inside a user-defined class-map ). This second category of drop will be dealt with in a specific post: Logging dropped packets with the Cisco Zone-based Policy Firewall.

** Related Posts:

Leave a comment

Filed under English, Firewalls, Security

Comments are closed.