21-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter21 Managing Zone-based Firewall Rules
Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules
In this illustration:
The interface providing common services is a member of the zone “common.”
All of VRF A is in a single zone, “vrf_A.”
VRF B, which has multiple interfaces, is partitioned into two zones “vrf_B_1” and “vrf_B_2.”
Zone Z1 does not have VRF interfaces.
Based on this configuration:
You can specify policies between each of these zones and the common zone. Additionally, you can
specify polices between each of the zones vrf_A, vrf_B_n and Z1 if VRF route export is configured
and the traffic patterns make sense.
You can configure a policy between zones vrf_A and vrf_B_1, but be sure that traffic can flow
between them.
You do not need to specify the global thresholds and timers on a per-VRF basis. Instead, parameters
are supplied to the Inspect action through a parameter map.
Related Topics
Understanding the Zone-based Firewall Rules, page 21-3
Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules
When you create a zone-based firewall rule, you must specify two execution-related settings:
Permit/Deny and an Action (Drop, Pass, Inspect, or Content Filter). To obtain the results you want, you
must clearly understand the relationship between these two parameters:
Permit/Deny—The Permit/Deny setting appears to correspond to Permit/Deny in an access control
list (ACL) entry. However, in zone-based firewall rules, unlike in standard access rules, these
keywords do not permit or deny traffic. Instead, they specify whether you want to apply an Action
to the traffic flow defined by the Source, Destination, and Services fields, and they affect processing
of related class maps.
Permit – Applies the specified Action to traffic that matches the Source, Destination, and
Services fields. (If protocols are listed in the Protocols table, the Action is further limited to
those protocols.)
Tip: Essentially all of your zone-based rules should be Permit rules. This is the easiest
configuration to understand—it means you are identifying the traffic to which you want the
chosen Action applied.
Deny – Exempts the traffic defined by the Source, Destination, and Services fields. (If protocols
are listed in the Protocols table, the exemption is further limited to those protocols.) In other
words, treat the traffic as not matching the rule. Instead, evaluate subsequent class maps (which
are not the same as zone rules) for the zone pair and look for a subsequent map that matches the
traffic. If no subsequent map matches the traffic, apply the default rule to the traffic (see
Changing the Default Drop Behavior, page21-47).
It is important to understand that there is not a one-to-one relationship between zone rules and
class maps. Therefore, you cannot determine just by looking at the rules table how the rules will
be converted to class maps. You must preview the configuration to see which subsequent rules