Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
21-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Understanding the Zone-based Firewall Rules
Interfaces that have not been assigned to a zone can still function as classical router ports and might
still have other types of firewall rules configured on them.
However, if an interface is not part of your zone-based firewall policy, it might still be necessary to
add that interface to a zone and configure a “pass all” policy (sort of a “dummy policy”) between
that zone and any other zone to which inter-zone traffic flow is desired.
Access-control list (ACL) rules applied on interfaces that are also zone members are processed
before the zone rules are applied. Therefore, to continue using both rule types, it may be necessary
to relax the interface ACLs to ensure certain traffic flows are processed by the zone-based rules.
All interfaces in a zone must belong to the same Virtual Routing and Forwarding (VRF) instance.
Zone-based rules can be configured between zones whose member interfaces are in separate VRFs.
However, if traffic cannot flow between these VRFs, these rules will never be executed. See Zones
and VRF-aware Firewalls, page 21-6 for more information.
Zones are defined using Interface Role objects. If you change the definition of an interface role that
you are using for a zone, you are changing the zone, which can affect existing traffic flows. In
addition, if you use wildcards in the interface role to specify an interface name pattern, be aware that
interfaces may automatically be added to the zone when you create new interfaces on the router.
If zone-based firewall rules contain conflicting zone information, the first rule defined in the table
takes precedence. Rules that do not reference valid zones are not deployed and an activity validation
warning is shown.
Empty zones result in activity validation errors for certain devices; refer to the following restriction
lists.
Source and destination zones cannot be the same for certain devices; refer to the following
restriction lists.
ASR Restrictions
The following are restrictions specific to ASR devices:
Deep Packet Inspection (DPI) is not allowed.
Source and destination zones can be the same. This is possible because intra-zone traffic inspection
is allowed.
Content (URL) Filtering is not allowed.
Only certain protocols are supported, such as DNS, FTP, H.323, ICMP, RTSP, SIP, Skinny, TCP,
TFTP, and UDP.
ISR Restrictions
The following are restrictions specific to ISR devices:
Empty zones cannot exist.
Source and destination zones cannot be the same.
Related Topics
The Self Zone, page 21-5
Using VPNs with Zone-based Firewall Policies, page 21-5
Zones and VRF-aware Firewalls, page 21-6
Configuring Settings for Zone-based Firewall Rules, page 21-48
Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules,
page 21-7