In a previous post, we learned how to build a simple policy with the Cisco Zone-based Policy Firewall (ZFW). The current post goes one step further, by discussing some connection logging tasks in a ZFW environment.
The feature in charge of generating the Syslog messages related to connection setup and teardown for the ZFW is named audit-trail, which, as can be verified in Figure 1, is set to ‘off’ by default.
To modify this original behavior in the sample scenario of Figure 1, we defined a new parameter-map called TRACKING and bound it to the TOP-CLASS1 class-map, as part of the inspect action. (It is simportant to emphasize that all the other settings of the Default parameter-map remained unchanged).
This approach of creating a customized parameter-map brings more flexibility to the deployment because you could have, for instance, another class-map without the audit-trail mechanism enabled.
As a closing exercise, you are encouraged to examine the settings available for the inspect action in the defaultparameter-map (shown in Figure 1).
More information about the parameter-maptype inspect command and its arguments can be found in the Cisco IOS Command Reference: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_p1.html#wp1070293
** Related Posts:
- Zone Firewall Series: https://alexandremspmoraes.wordpress.com/tag/zone-firewall/