21-53
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter21 Managing Zone-based Firewall Rules
Troubleshooting Zone-based Rules and Configurations
Related Topics
Zone Based Firewall Page, page 21-49
Understanding the Zone-based Firewall Rules, page 21-3
Configuring Settings for Zone-based Firewall Rules, page21-48
Troubleshooting Zone-based Rules and Configurations
Zone-based firewall rules are powerful, but also complex. Using zone rules, you can replace access rules,
inspection rules, and Web filter rules with a single type of firewall rule. Because zone-based firewall
rules can perform so many possible actions, the configuration generated from them uses many different
types of configuration commands, including structures for access control lists (ACLs), class maps, and
policy maps. There is no one-to-one correspondence between a zone-based firewall rule and a line in the
configuration (unlike access rules, for example).
To illustrate this complexity, this topic describes the relationship between zone-based firewall rules and
the configuration generated from them. You do not need to know any of the information in this topic to
create and deploy zone-based firewall rules. However, if you are familiar with the CLI (command line
interface), or if you find that your rules are generating undesired results, this information can help you
understand and troubleshoot zone-based firewall rules.
Consider the set of rules shown in the following illustration. These rules form a policy for a single zone
pair, affecting traffic moving from the Inside zone to the Outside zone. This is traffic from your internal
network going to the Internet. The rules define the following actions:
Drop all traffic from the 10.100.10.0/24 and 10.100.11.0/24 networks.
Drop all FTP and FTPS traffic from the 10.100.12.0/24 network.
Drop all peer-to-peer traffic from any network.
Inspect (and allow) all FTP/FTPS traffic (except for that from 10.100.12.0/24, which is already
dropped).
Inspect all HTTP traffic using an additional deep-inspection policy map.
And finally, perform generic inspection of all remaining TCP/UDP traffic.
Figure 21-3 Example of Zone-based Rules for a Zone Pair