Zone based Firewall:
Zone based Firewall of ZFW is a new approach to configuring access control in the IOS firewall. Prior to this feature, traffic filtering was accomplished usingaccesslists and stateful traffic inspection rules (CBAC). Both the access-lists and inspection rules apply directly to the physical interfaces, which may poorly reflectorganization’s security policy, as the policy deals with more high-level objects than interfaces.A new core concept of ZFW is zone, which groups different interfaces sharing the same security attributes, the same level of trust. For example: you may have security zones that reflect your enterprise security levelspartitioning. On the figure below, you can see three security zones assigned to three router interfaces:
By default, traffic is permitted between the interfaces within the same security zone, and blocked between different zones. Traffic between the interface configured in a security zone and interface not in any zone is blocked.In addition, you cannot apply classic firewall rules (e.g. access-lists or inspection rules) to the interface configured in a security zone.There is one default zone in every router, known as self, which encompasses the router’s own IP addresses. Traffic to and from this zone to any other zone is permitted by default, to allow for control plane and management plane traffic. However, you may apply an explicit policy between the self zone and any other
configured zone to control the router-originated traffic. If you apply a policy from
any configured zone to the self zone, the traffic from self zone to the other zone will be permitted, but the returning traffic from the configured zone may be blocked. To resolve this, you may need to assign a policy from zone self to the configured zone and inspect the router-generated traffic.
Zone based firewall implements the same set of features as the classic IOS firewall. It allows defining advanced inspection options, such as deep inspection and parameter tuning. To accomplish all listed features, ZFW uses.
The syntax for the new configuration language was heavily borrowed from the well-known MQC (Modular QoS CLI) and resembles it in many ways, by using policy-maps, class-maps and actions association.