← Back

🔥 Module 10: Zone-Based Policy Firewalls

🛡️ Advanced Network Security Implementation and Configuration

CCNA Level Firewall Security Zone Configuration

📋 Overview

Zone-Based Policy Firewalls (ZPF) represent a modern approach to Cisco IOS firewall configuration, replacing the traditional Classic Firewall model. ZPF organizes network interfaces into security zones and applies firewall policies to traffic moving between these zones, providing a structured and scalable security framework for enterprise networks.

This module covers ZPF fundamentals, operational principles, and comprehensive configuration procedures for implementing zone-based security policies using Cisco Common Classification Policy Language (C3PL).

Back to top

🔑 Key Terms

Zone-Based Policy Firewall (ZPF)

A firewall configuration model where interfaces are assigned to security zones and policies are applied to traffic between zones rather than individual interfaces.

Security Zone

A logical grouping of interfaces that defines security boundaries for traffic policy enforcement within the network infrastructure.

Zone Pair

A directional relationship between source and destination zones that defines specific traffic flow policies and security actions.

Class Map

A configuration construct that identifies specific traffic types using match criteria (protocol, ACL, or other class maps) for policy application.

Policy Map

Defines actions (inspect, drop, pass) to be taken on traffic identified by class maps, implementing the actual security policy.

Self Zone

A system-defined zone representing the router itself, handling management traffic and routing protocol communications.

Back to top

ZPF Fundamentals

ZPF vs Classic Firewall

Aspect Classic Firewall Zone-Based Policy Firewall
Policy Application Applied directly to interfaces Applied between security zones
Configuration Model Interface-centric approach Zone-centric with C3PL integration
Scalability Limited for complex networks Highly scalable zone-based approach
Documentation Interface-specific policies Structured zone relationships
Key Benefits

ZPF Advantages

  • ACL Independence: Not dependent on traditional access control lists
  • Default Deny: Security posture blocks traffic unless explicitly allowed
  • C3PL Integration: Uses Cisco Common Classification Policy Language for structured policies
  • Interface Flexibility: Virtual and physical interfaces can be grouped into zones
  • Unidirectional Policies: Policies applied to traffic between specific zone pairs

ZPF Actions

Inspect

Performs Cisco IOS stateful packet inspection, maintaining session information for TCP and UDP connections. Automatically allows return traffic for established sessions.

Drop

Discards traffic silently without sending ICMP unreachable messages. Equivalent to ACL deny statement with optional logging capabilities.

Pass

Allows traffic to flow between zones without state tracking. Stateless action requiring separate policies for bidirectional communication.

Transit Traffic Rules

Source Interface Destination Interface Zone-Pair Exists? Policy Exists? Result
No Zone No Zone N/A N/A PASS
Zone Member No Zone N/A N/A DROP
Same Zone Same Zone N/A N/A PASS
Zone A Zone B Yes Yes INSPECT/DROP/PASS
Special Zone

Self Zone Traffic

The self zone represents the router itself, including all IP addresses assigned to router interfaces. Traffic to/from the self zone includes management traffic (SSH, SNMP) and routing protocol communications. Default behavior allows all self zone traffic unless specific zone-pair policies exist.

ZPF Security Zone Topology Diagram
Basic three-zone network showing Private, DMZ, and Public zones with policy enforcement between zone boundaries
Back to top

⚙️ Configuration Process

Configuration Steps

Five-Step ZPF Implementation

  1. Create security zones
  2. Identify traffic with class maps
  3. Define actions with policy maps
  4. Create zone pairs and associate policies
  5. Assign zones to interfaces

Step 1: Create Security Zones

Router(config)# zone security PRIVATE
  Router(config-sec-zone)# exit
  Router(config)# zone security PUBLIC
  Router(config-sec-zone)# exit

Step 2: Identify Traffic with Class Maps

Router(config)# class-map type inspect match-any HTTP-TRAFFIC
  Router(config-cmap)# match protocol http
  Router(config-cmap)# match protocol https
  Router(config-cmap)# match protocol dns
Match Criteria

Class Map Parameters

  • match-any: Traffic matches one of the specified criteria
  • match-all: Traffic must match all specified criteria
  • Match options: protocol, access-group, or another class-map

Step 3: Define Actions with Policy Maps

Router(config)# policy-map type inspect PRIV-TO-PUB-POLICY
  Router(config-pmap)# class type inspect HTTP-TRAFFIC
  Router(config-pmap-c)# inspect

Step 4: Create Zone Pairs

Router(config)# zone-pair security PRIV-PUB source PRIVATE destination PUBLIC
  Router(config-sec-zone-pair)# service-policy type inspect PRIV-TO-PUB-POLICY

Step 5: Assign Zones to Interfaces

Router(config)# interface GigabitEthernet0/0
  Router(config-if)# zone-member security PRIVATE
  Router(config-if)# interface Serial0/0/0
  Router(config-if)# zone-member security PUBLIC
Important

Configuration Order

Class maps must be configured before policy maps, and policy maps before zone pairs. Assigning an interface to a zone immediately activates the security policy - if no policy exists, all transit traffic is dropped.

Verification Commands

Configuration Verification

show run | begin class-map
  show class-map type inspect
  show policy-map type inspect
  show zone security
  show zone-pair security

Operational Verification

show policy-map type inspect zone-pair sessions

Displays active sessions, traffic statistics, and policy enforcement details for configured zone pairs.

Back to top

📚 Case Study: Corporate Network ZPF Implementation

Real-World Application

Multi-Zone Corporate Network

A medium-sized corporation implements ZPF on their edge router to control traffic between internal networks (INSIDE zone), DMZ servers (DMZ zone), and internet access (OUTSIDE zone). The implementation allows internal users HTTP/HTTPS and DNS access to the internet while permitting external access to DMZ web servers.

Network Requirements

  • Internal users need HTTP/HTTPS and DNS access to internet
  • DMZ web servers must be accessible from internet
  • Internal network should access DMZ services
  • No direct internet access to internal network

Implementation Strategy

# Create zones
  zone security INSIDE
  zone security DMZ  
  zone security OUTSIDE

  # Define traffic classes
  class-map type inspect match-any WEB-TRAFFIC
  match protocol http
  match protocol https
  match protocol dns

  class-map type inspect match-any DMZ-SERVICES
  match protocol http
  match protocol https

  # Create policies
  policy-map type inspect INSIDE-TO-OUTSIDE
  class type inspect WEB-TRAFFIC
    inspect

  policy-map type inspect OUTSIDE-TO-DMZ
  class type inspect DMZ-SERVICES
    inspect

  # Configure zone pairs
  zone-pair security IN-OUT source INSIDE destination OUTSIDE
  service-policy type inspect INSIDE-TO-OUTSIDE

  zone-pair security OUT-DMZ source OUTSIDE destination DMZ
  service-policy type inspect OUTSIDE-TO-DMZ

This configuration demonstrates practical ZPF implementation with multiple zones, allowing controlled bidirectional traffic flow while maintaining security boundaries between network segments.

Back to top

⚠️ Common Pitfalls & Misconceptions

Pitfall

Configuration Order Dependencies

Attempting to reference non-existent class maps in policy maps or non-existent policy maps in zone pairs results in configuration errors. Always follow the proper sequence: zones → class maps → policy maps → zone pairs → interface assignment.

Pitfall

Interface Zone Assignment Impact

Assigning an interface to a zone immediately activates the security policy. If no policy exists for the zone pair, all transit traffic is dropped, causing immediate service interruption.

Misconception

Bidirectional Traffic Assumptions

ZPF policies are unidirectional by design. Return traffic requires either separate policies for the reverse direction or stateful inspection using the inspect action to automatically allow return traffic.

Best Practice

Implementation Guidelines

  • Plan zone design thoroughly before implementation
  • Use descriptive names for zones, class maps, and policies
  • Test policies in lab environment first
  • Document zone pairs and traffic flows
  • Monitor session statistics after implementation
  • Consider self zone traffic for management access
Back to top

✅ Quick Checks

  1. What happens to traffic when both source and destination interfaces belong to the same security zone?
    Traffic passes without policy enforcement due to the same zone rule.
  2. Which ZPF action maintains session state information for return traffic?
    The inspect action performs stateful packet inspection and tracks connection state.
  3. What is the default behavior when one interface is a zone member and the other is not?
    Traffic is dropped regardless of whether a zone pair exists.
  4. What does the self zone represent in ZPF configuration?
    The router itself, including all IP addresses assigned to router interfaces for management and control traffic.
  5. Can an interface belong to multiple security zones simultaneously?
    No, each interface can only be a member of one security zone at a time.
  6. What command assigns an interface to a security zone?
    The zone-member security zone-name command in interface configuration mode.
  7. What is the primary advantage of ZPF over Classic Firewall configuration?
    Structured zone-based approach provides better organization, scalability, and easier policy management using C3PL.
Back to top

📝 Summary

  • ZPF provides a modern, structured approach to firewall configuration using security zones and zone pairs
  • Five-step configuration process: create zones, identify traffic, define actions, create zone pairs, assign interfaces
  • Three traffic actions available: inspect (stateful), drop (deny), and pass (stateless)
  • Specific rules govern traffic flow based on interface zone membership and policy existence
  • Self zone handles router management and control traffic with special rules
  • Unidirectional policies require careful planning for bidirectional traffic requirements
  • C3PL integration provides structured policy language for scalable implementations
  • Proper planning, testing, and documentation essential for successful ZPF deployment
Back to top

References

  • Module 10.1: ZPF Overview - Benefits and Design Principles
  • Module 10.2: ZPF Operation - Traffic Rules and Actions
  • Module 10.3: Configure a ZPF - Step-by-step Configuration Process
  • Module 10.4: Zone-Based Firewalls Summary - Key Concepts Review
  • Cisco IOS Security Configuration Guide - Zone-Based Policy Firewall
  • CCNA Security Official Cert Guide - Advanced Firewall Technologies
Back to top

📋 Overview

Zone-Based Policy Firewalls (ZPF) represent a modern approach to Cisco IOS firewall configuration, replacing the traditional Classic Firewall model. ZPF organizes network interfaces into security zones and applies firewall policies to traffic moving between these zones, providing a structured and scalable security framework.

This module covers ZPF fundamentals, operational principles, and comprehensive configuration procedures for implementing zone-based security policies in enterprise networks.

🔑 Key Terms

Zone-Based Policy Firewall (ZPF)

A firewall configuration model where interfaces are assigned to security zones and policies are applied to traffic between zones.

Security Zone

A logical grouping of interfaces that defines security boundaries for traffic policy enforcement.

Zone Pair

A directional relationship between source and destination zones that defines traffic flow policies.

Class Map

A configuration construct that identifies specific traffic types using match criteria for policy application.

Policy Map

Defines actions (inspect, drop, pass) to be taken on traffic identified by class maps.

Self Zone

A system-defined zone representing the router itself for management and control traffic.

Core Concepts

ZPF vs Classic Firewall

Key Differences

ZPF Benefits

ZPF Actions

Inspect

Performs stateful packet inspection, maintaining session information for TCP and UDP connections. Allows return traffic for established sessions.

Drop

Discards traffic silently (no ICMP unreachable messages). Equivalent to ACL deny statement with optional logging.

Pass

Allows traffic to flow between zones without state tracking. Stateless action requiring separate policies for return traffic.

Transit Traffic Rules

Interface Zone Membership Rules

Self Zone Traffic Rules

The self zone represents the router itself. Traffic to/from the router follows special rules:

⚙️ ZPF Configuration

Configuration Steps Overview

Five-Step Process

  1. Create security zones
  2. Identify traffic with class maps
  3. Define actions with policy maps
  4. Create zone pairs and associate policies
  5. Assign zones to interfaces

Step 1: Create Security Zones

Router(config)# zone security PRIVATE
  Router(config-sec-zone)# exit
  Router(config)# zone security PUBLIC
  Router(config-sec-zone)# exit

Step 2: Identify Traffic with Class Maps

Router(config)# class-map type inspect match-any HTTP-TRAFFIC
  Router(config-cmap)# match protocol http
  Router(config-cmap)# match protocol https
  Router(config-cmap)# match protocol dns

Class Map Parameters

Step 3: Define Actions with Policy Maps

Router(config)# policy-map type inspect PRIV-TO-PUB-POLICY
  Router(config-pmap)# class type inspect HTTP-TRAFFIC
  Router(config-pmap-c)# inspect

Step 4: Create Zone Pairs

Router(config)# zone-pair security PRIV-PUB source PRIVATE destination PUBLIC
  Router(config-sec-zone-pair)# service-policy type inspect PRIV-TO-PUB-POLICY

Step 5: Assign Zones to Interfaces

Router(config)# interface GigabitEthernet0/0
  Router(config-if)# zone-member security PRIVATE
  Router(config-if)# interface Serial0/0/0
  Router(config-if)# zone-member security PUBLIC

Verification Commands

Configuration Verification

show run | begin class-map
  show class-map type inspect
  show policy-map type inspect
  show zone security
  show zone-pair security

Operational Verification

show policy-map type inspect zone-pair sessions

Shows active sessions and traffic statistics for zone pairs.

📚 Case Study: Corporate Network ZPF Implementation

Scenario

A medium-sized corporation needs to implement ZPF on their edge router to control traffic between internal networks, DMZ servers, and internet access.

Network Requirements

Implementation Strategy

Zone Design

Policy Configuration

# Create zones
  zone security INSIDE
  zone security DMZ  
  zone security OUTSIDE

  # Define traffic classes
  class-map type inspect match-any WEB-TRAFFIC
  match protocol http
  match protocol https
  match protocol dns

  class-map type inspect match-any DMZ-SERVICES
  match protocol http
  match protocol https

  # Create policies
  policy-map type inspect INSIDE-TO-OUTSIDE
  class type inspect WEB-TRAFFIC
    inspect

  policy-map type inspect OUTSIDE-TO-DMZ
  class type inspect DMZ-SERVICES
    inspect

  # Configure zone pairs
  zone-pair security IN-OUT source INSIDE destination OUTSIDE
  service-policy type inspect INSIDE-TO-OUTSIDE

  zone-pair security OUT-DMZ source OUTSIDE destination DMZ
  service-policy type inspect OUTSIDE-TO-DMZ

⚠️ Common Pitfalls & Misconceptions

Configuration Order Dependencies

Class maps must be configured before policy maps, and policy maps before zone pairs. Attempting to reference non-existent objects results in configuration errors.

Interface Zone Assignment Impact

Assigning an interface to a zone immediately activates the security policy. If no policy exists, all transit traffic is dropped, causing service interruption.

Common Mistakes

Best Practices

✅ Quick Checks

Question 1

What happens to traffic when both source and destination interfaces belong to the same security zone?

Answer: Traffic passes without policy enforcement (same zone rule).

Question 2

Which ZPF action maintains session state information for return traffic?

Answer: Inspect action performs stateful packet inspection.

Question 3

What is the default behavior when one interface is a zone member and the other is not?

Answer: Traffic is dropped regardless of zone pair existence.

Question 4

What does the self zone represent in ZPF configuration?

Answer: The router itself, including all IP addresses assigned to router interfaces.

Question 5

Can an interface belong to multiple security zones simultaneously?

Answer: No, each interface can only be a member of one security zone.

Question 6

What command assigns an interface to a security zone?

Answer: zone-member security zone-name in interface configuration mode.

Question 7

What is the primary advantage of ZPF over Classic Firewall configuration?

Answer: Structured approach with zone-based policies provides better organization and scalability.

📝 Summary

References

↑ Top