Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

21-53

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 21 Managing Zone-based Firewall Rules

Troubleshooting Zone-based Rules and Configurations

Related Topics

• Zone Based Firewall Page, page 21-49

• Understanding the Zone-based Firewall Rules, page 21-3

• Configuring Settings for Zone-based Firewall Rules, page 21-48

Troubleshooting Zone-based Rules and Configurations

Zone-based firewall rules are powerful, but also complex. Using zone rules, you can replace access rules,

inspection rules, and Web filter rules with a single type of firewall rule. Because zone-based firewall

rules can perform so many possible actions, the configuration generated from them uses many different

types of configuration commands, including structures for access control lists (ACLs), class maps, and

policy maps. There is no one-to-one correspondence between a zone-based firewall rule and a line in the

configuration (unlike access rules, for example).

To illustrate this complexity, this topic describes the relationship between zone-based firewall rules and

the configuration generated from them. You do not need to know any of the information in this topic to

create and deploy zone-based firewall rules. However, if you are familiar with the CLI (command line

interface), or if you find that your rules are generating undesired results, this information can help you

understand and troubleshoot zone-based firewall rules.

Consider the set of rules shown in the following illustration. These rules form a policy for a single zone

pair, affecting traffic moving from the Inside zone to the Outside zone. This is traffic from your internal

network going to the Internet. The rules define the following actions:

• Drop all traffic from the 10.100.10.0/24 and 10.100.11.0/24 networks.

• Drop all FTP and FTPS traffic from the 10.100.12.0/24 network.

• Drop all peer-to-peer traffic from any network.

• Inspect (and allow) all FTP/FTPS traffic (except for that from 10.100.12.0/24, which is already

dropped).

• Inspect all HTTP traffic using an additional deep-inspection policy map.

• And finally, perform generic inspection of all remaining TCP/UDP traffic.

Figure 21-3 Example of Zone-based Rules for a Zone Pair

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems CL-28826-01 Security Camera User Manual