配置zone-based policy防火墙步骤

1.确定游泳相同安全功能的接口,并且把他们放入相同的security zones内

2.决定在znne间双向需要穿越流量

3.配置zones

4.配置zone pairs,如果某一个方向没有任何流量需要放行就不用配置了

5.定义class maps匹配zones间流量

6.配置policy maps关联class maps匹配的流量,并且运用适当的actions

7.在zone pairs指派policy maps

zone-based policy actions

1.inspect

进入状态化监控

2.drop

丢弃相应流量

3.pass

允许相应流量(不进行状态化监控)

4.police

对相应流量执行限速

5.service-policy

dpi(执行深度运用层控制)

1.创建zones

zone security outside

zone security inside

2.关联zone到接口

inter f0/0

zone-member security inside

int f1/0

zone-member security outside

1.匹配outbound traffic

class-map type inspect match-any inside-to-outside.class

match protocol http

match protocol smtp

match protocol ftp

match protocol telnet

match protocol icmp

2.匹配inbound traffic

ip access-list extended internet-to-inside.web.traffic

permit ip any host 10.1.1.100

class-map type inspect match-all outside-to-inside.class

match protocol http

match access-group name intermeet-to-inside.web.traffic

严重注意流量匹配的推荐配置方式

1.outboud traffic parameter-map

parameter-map type inspect inside-to-outside.pa

max-incomplete low 800

max-incomplete high 1000

tcp synwait-time 15

2.inbound traffic parameter-map

parameter-map type inspect outside-to-inside.pa

max-incomplete low 80

max-incomplete high 100

1.outbound traffic policy-map

policy-map type inspect inside-to-touside.policy

class type inspect inside-to-outside.class

inspect inside-to-outside.pa

2.inbound traffic policy-map

policy-map type inspect outside-to-inside.policy

class type inspect outside-to-inside.class

inspect outside-to-inside.pa

1.运用policy-map到outbound zone-pairs

zone-pair security inside-to-outside.zonepairs souece inside destination outside

service-policy type insppect inside-to-outside.policy

2.运用policy-map到inbound zone-pairs

zone-pair security outside-to-inside.zonepairs souece outside destination inside

service-policy type inspect outside-to-inside.policy

zone-based fw相关查询命令

1.show zone security

2.show zone-pair security

3.show access-map type inspect

4.show parameter-map type inspect

5.show policy-map type inspect

6.show policy-map type inspect zone-pair sessions