21-49
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter21 Managing Zone-based Firewall Rules
Configuring Settings for Zone-based Firewall Rules
The Zones tab lists all unreferenced zones defined on the device; that is, zones without any associated
interfaces, rules or policies. Unreferenced zones are usually found and listed during device discovery,
but you also can create named, “empty” zones here.
Step 3 (Optional) On the VPN tab, supply the name of the zone specifically set up for VPN traffic.
This zone ensures that dynamic VPN traffic can be processed by the zone-based firewall rules on this
router. See Using VPNs with Zone-based Firewall Policies, page21-5 for more information.
Step 4 (Optional) On the WAAS tab, select Enable WAAS to enable Wide Area Application Services
interoperability.
If this option is not enabled, packets being optimized by a WAAS device may be dropped because WAAS
increases the TCP packet sequence number during the TCP handshake. This behavior may be viewed as
a possible attack by the IOS device.
Step 5 (Optional) On the Content Filter Settings tab, provide server settings for Trend Micro-based content
filtering.
To use Trend Micro-based content filtering, you must configure contact information for the Trend Micro
server on this tab of the Zone Based Firewall page. This tab also provides links to Trend Micro
registration and certificate download. You must have an active subscription with Trend Micro to utilize
this form of content filtering, and you must download and install a valid subscription certificate on this
IOS device.
For more information, see Zone Based Firewall Page - Content Filter Tab, page 21-51.
Step 6 (Optional) On the Global Parameters (ASR) tab, you can configure global, logging-related settings
specific to ASR devices:
Log Dropped Packets – Select this option to log all packets dropped by the device; syslog logging
must be enabled to view the information.
Log Flow export timeout rate – NetFlow logs are created after a flow either expires or is timed out,
and it is important to put a time limit on how long a flow can be active before expiring. This value
is maximum number of minutes a flow can remain active before it is expired. The value can be any
integer from 1 to 3600; the default is 30.
Log Flow export destination IP – The IP address or host name of the NetFlow collector to which
flow data is to be sent.
Log Flow export destination port – The UDP port monitored by the NetFlow collector for flow data.
Zone Based Firewall Page
Use the Zone Based Firewall page to configure and identify unreferenced zones, specify a VPN zone,
enable or disable WAAS support, maintain Trend Micro server and certificate information, and specify
global Log settings on supported ASR devices.
The following tabs are described in the table on this page:
Zones
VPN
WAA S
Global Parameters (ASR)
The Content Filtering tab is detailed in Zone Based Firewall Page - Content Filter Tab, page 21-51.