FTP Inspection with the Cisco Zone-based Policy Firewall

Having analyzed the basic L4/L3 configuration  principles for the Cisco Zone-based Policy Firewall (ZFW), we will now illustrate some L7 options.

Before we start the practical examples, it is interesting to characterize the main usages of L7 inspection on a stateful firewall:

  • Fixing up misbehaved protocols, such as those that dynamically negotiate data connections inside the control channel. Classic examples are FTP and the telephony signaling protocols (SIP, H.323 framework, SCCP, MGCP).
  • Perform Network Address Translation (NAT) at the application level for those protocols that embed the IP address in the L7 messages. This is critical within NAT and Port Address Translation (PAT) environments.
  • Use the application knowledge to filter based on additional criteria pertaining to the specific L7 protocol, rather than just L4/L3.

The figure depicts a reference scenario for FTP inspection on the ZFW:

  • The INSIDE client starts an FTP session to the translated address of the server (
  • Instead of matching based on an L4 clause, there is a match protocol ftp statement under the class-map named L7-CLASS1.
  • The first audit-trail message shows the creation of the FTP control connection (over port TCP/21).
  • The second log message shows a sample FTP data session (and the corresponding NAT operation).

It is important to emphasize that in this sample network we are not performing any special filtering. We are just using L7 knowledge for fixup purposes.

Reference topology for FTP inspection with the Cisco Zone-based Policy Firewall
** Topics for Study:
  • Review basic FTP operations
  • What are typical commands (inside an FTP control channel) that trigger the setup of a data channel ?
  • It is important to compare these new audit-trail messages with those for single channel protocols that use TCP as transport (such as telnet in previous ZFW-related posts). What has changed ?

** Related Posts:

Leave a comment

Filed under English, Firewalls, Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s