21-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Developing and Applying Zone-based Firewall Rules
Use sections to organize the rules for each zone pair. Sections make it easy for you to see all of the
rules for a pair, which can be critical if your rules have sequential dependencies. For more
information on working with sections, see Using Sections to Organize Rules Tables, page 12-20.
Developing and Applying Zone-based Firewall Rules
The following is a general overview of how to develop and apply zone-based firewall rules to your
network.
Consider your network, and its sub-networks, in terms of security zones—think about the security
requirements of the various zones. As a general guideline, group router interfaces that are similar
when viewed from a security perspective.
Determine the types of traffic to be examined as it travels from one zone to another, decide how each
type is to be examined and handled.
Define zone-based firewall rules that implement these decisions. This process may include some or
all of the following procedures, which you can perform prior to defining the rules themselves, or
which you can perform as necessary during rule definition:
Define the zones by creating named Interface Role objects, assigning the appropriate interfaces
and interface patterns to them.
Define/edit Port Application Mapping (PAM) settings for specific Layer 4 protocols and ports,
and optionally specific networks and hosts.
Configure Deep Packet Inspection (DPI) policies for Layer 7 protocols—HTTP, IMAP, instant
messaging (IM), and peer-to-peer (P2P).
Configure Protocol Info parameter maps; these define DNS servers that interact with the IM
applications.
Configure Inspect parameter maps that define connection, timeout, and other settings for the
Inspect action.
Define WebFilter parameter or policy maps for URL-based content filtering.
The following topics provide additional information about these procedures:
Understanding Map Objects, page 6-72
Configuring Content Filtering Maps for Zone-based Firewall Policies, page21-35
Configuring Inspection Maps for Zone-based Firewall Policies, page21-15
Adding Zone-Based Firewall Rules
This procedure explains how to configure a zone-based firewall rule in Security Manager.
Related Topics
Understanding the Zone-based Firewall Rules, page 21-3
Configuring Settings for Zone-based Firewall Rules, page21-48
Understanding Map Objects, page 6-72
Enabling and Disabling Rules, page 12-20
Adding and Removing Rules, page 12-9