It is a very powerful Firewall software which can deal with policy implemented between zone.
The first things to do are to create zones like: Outside, inside, DMZ. Then you place your interfaces in the zone you just have created.
By default, traffic between interfaces in different zones cannot talk to each other while these in the same zone can.
Then you create zone pairs with a zone source and a zone destination.
Then you need to configure an Interzone Access Policy using C3PL language.
You will need to use three main configuration constructs:
- Class maps provide traffic classification
Class maps describe and group traffic into classes.
It is based on one or more match conditions.
Can match based on ACL, protocol or another class map.
Conditions can use OR (default), AND, or NOT.
Exemple:
Telnet Traffic Between 2001:db8:1::1 and 2001:db8:2::2
- Policy maps associtate actions with traffic classes
Policy maps determine the firewall policy applied to a class:
Pass, drop, Inspect, Log, Reset
Evaluated in class order
A policy map is applied to each configured zone pair
There is always an implicit class-default as the last class in each policy-map.
The default action of class-default is drop.
Exemple:
Telnet Traffic Between 2001:db8:1::1 and 2001:db8:2::2 -> inspect FTP Traffic Between 2001:db8:4::1 and 2001:db8:5::2 -> pass
Any Telnet, FTP or HTTP -> Inspect
class-default -> log
- Parameter maps tune inspection parameters for a class
parameter-map type inspect ipv6-header
ipv6 routing-header-enforcement loose
Zone-Based Policy Firewall will by default drop all packets with routing headers
Aucun commentaire:
Enregistrer un commentaire