Zone-Based Firewall
The zone-based firewall model evaluates traffic between security zones using class maps and policy maps. It is designed for policy reasoning and labs, not for deep inspection of application payloads.
Support level
Section titled “Support level”| Area | Level | Notes |
|---|---|---|
| Security zones | Supported | Interfaces can be assigned to zones. |
| Zone pairs | Supported | Source/destination zone policy attachment. |
| Class maps | Supported | Match ACLs and protocol categories where implemented. |
| Policy maps | Supported | inspect, pass, and drop style actions. |
| Stateful inspection | Behaviour model | Return traffic can be allowed through connection state. |
| Application inspection | Partial | Protocol names are matched; payload parsing is limited. |
Standards coverage
Section titled “Standards coverage”| Standard | Coverage | Notes |
|---|---|---|
| Cisco IOS ZBFW | Behaviour model | Zone, zone-pair, class-map, policy-map semantics. |
Feature matrix
Section titled “Feature matrix”| Feature | Status | Notes |
|---|---|---|
zone security | Supported | Creates a zone. |
zone-member security | Supported | Assigns interface to zone. |
zone-pair security | Supported | Binds source/destination zones. |
class-map type inspect | Supported | Classifies traffic. |
policy-map type inspect | Supported | Applies actions. |
inspect | Supported | Allows matching traffic and return flow. |
pass / drop | Supported | Stateless allow/drop decisions. |
| Self zone | Partial | Supported where parser/runtime paths cover it. |
Vendor command matrix
Section titled “Vendor command matrix”| Command | IOS-style | Junos-style | VyOS-style | Notes |
|---|---|---|---|---|
zone security INSIDE | Supported | n/a | n/a | Zone definition. |
zone-member security INSIDE | Supported | n/a | n/a | Interface membership. |
class-map type inspect match-any WEB | Supported | n/a | n/a | Classification. |
policy-map type inspect INSIDE-OUT | Supported | n/a | n/a | Policy actions. |
service-policy type inspect INSIDE-OUT | Supported | n/a | n/a | Zone-pair attachment. |
show policy-map type inspect zone-pair | Supported | n/a | n/a | Runtime view. |
Behaviour notes
Section titled “Behaviour notes”Zone policy is evaluated after routing identifies the egress side. When no zone-pair policy permits the flow, the conservative result is deny.
Examples
Section titled “Examples”Canonical example
configure terminalzone security INSIDEzone security OUTSIDEclass-map type inspect match-any WEB match protocol http match protocol httpspolicy-map type inspect INSIDE-OUT class type inspect WEB inspectzone-pair security IN-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-OUTinterface GigabitEthernet0/1 zone-member security INSIDEendVendor styles
IOS-style
zone security INSIDEzone security OUTSIDEclass-map type inspect match-any WEB match protocol httppolicy-map type inspect INSIDE-OUT class type inspect WEB inspectzone-pair security IN-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-OUTJunos-style
set security zones security-zone trust interfaces ge-0/0/1.0set security zones security-zone untrust interfaces ge-0/0/0.0set security policies from-zone trust to-zone untrust policy WEB match application junos-httpset security policies from-zone trust to-zone untrust policy WEB then permitVyOS-style
set firewall zone INSIDE interface eth1set firewall zone OUTSIDE interface eth0set firewall ipv4 name INSIDE-OUT default-action dropset firewall ipv4 name INSIDE-OUT rule 10 action acceptKnown limits
Section titled “Known limits”Deep packet inspection, ALG helpers, full self-zone behaviour, NAT/firewall vendor ordering quirks, and detailed session timeout tuning are simplified.