Filter
Top Products
21-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Adding Zone-Based Firewall Rules
• Moving Rules and the Importance of Rule Order, page 12-19
Step 1 Access the Zone-based Firewall Rules Page, page 21-57 as follows:
• (Device view) Select an IOS router and then select Firewall > Zone Based Firewall Rules from the
Policy selector.
• (Policy view) Select Firewall > Zone Based Firewall Rules from the Policy Type selector. Select
an existing policy or create a new one.
Step 2 Click the Add Row button below the rules table, or right-click anywhere inside the table, and choose
Add Row to open the Add Zone Based Firewall Rule dialog box.
Refer to Adding and Editing Zone-based Firewall Rules, page 21-59 for a complete description of this
dialog box.
Step 3 Define the base Traffic flow for this rule.
Note Together, the Permit/Deny, Sources, Destinations, and Services options can be thought of as
defining a simple access rule that can be enhanced by the application of in-depth Action-related
policies, and restricted to a specific direction between a specific pair of zones.
a. Choose whether to Permit or Deny further processing of traffic that matches this rule. See
Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules,
page 21-7 for more information.
b. Optionally, provide Source and Destination hosts/networks.
By default, the traffic definition encompasses packets from “any” source, to “any” destination. You
can use these fields to refine this base traffic definition by providing one or more source and
destination hosts/networks. (Refer Understanding Networks/Hosts Objects, page 6-74 to for more
information.)
c. Specify one or more Services (protocols) that indicate the type of traffic; for example, IP, TCP, etc.
You can provide more than one Service; however, IP generally stands alone. (See Understanding and
Specifying Services and Service and Port List Objects, page 6-86.)
d. Provide the From Zone; that is, the only zone from which matched traffic can originate.
e. Provide the To Zone; that is, the only zone to which matched traffic can flow.
Refer to Understanding Interface Role Objects, page 6-67 for more information about zone/interface
objects.
Note Together, the From Zone and the To Zone constitute what is sometimes referred to as a
“zone-pair.”
f. Click the Advanced button to add a time range, or to apply a packet-fragment or an
established-connection restriction to this zone-based firewall rule.
See Zone-based Firewall Rule: Advanced Options Dialog Box, page 21-63 for more information
about these options.
Step 4 Specify the actions to be applied to traffic matching this definition by choosing a base Action, and
supplying additional parameters as necessary.
a. Choose a base Action: