ZBPFW stands for Zone-Based Policy Firewall
(Zone-Based Policy Firewall) is a feature of Cisco IOS that allows you to configure firewall policies based on zones, which are groups of interfaces that have similar security requirements. Zone-Based Policy Firewall provides more flexibility and granularity than the traditional interface-based firewall, which applies policies based on the direction of traffic on each interface.
With Zone-Based Policy Firewall, you can create different zones and assign interfaces to them. For example, you can create a zone for the internal network, a zone for the external network, and a zone for the demilitarized zone (DMZ). You can also create a special zone called the self zone, which represents the router itself.
After creating the zones, you can define the security policies that apply to the traffic between the zones. A security policy consists of a class-map, which specifies the traffic to be matched, and a policy-map, which specifies the action to be taken on the matched traffic. The action can be one of the following:
• Inspect: This action allows the traffic to pass through the firewall and creates a stateful entry for it. This means that the firewall will keep track of the connection and allow the return traffic without requiring another policy. This action also enables application inspection, which can inspect and control specific protocols and applications, such as HTTP, FTP, SMTP, IM, and P2P.
• Pass: This action allows the traffic to pass through the firewall without creating a stateful entry. This means that the firewall will not keep track of the connection and will require another policy for the return traffic. This action also disables application inspection, which means that the firewall will not inspect or control any protocols or applications.
• Drop: This action drops the traffic and logs it. This is the default action for all traffic between zones, unless a policy is defined to allow it. This action also disables application inspection.
You can also define parameters for each action, such as logging options, connection limits, timeouts, and QoS settings. You can also apply rate limits to limit the bandwidth or packets per second for each policy.
To apply the security policies to the zones, you need to create a zone-pair, which specifies the source and destination zones for the traffic. You can then attach a policy-map to each zone-pair, which will apply the policy to all interfaces in those zones. You can also create multiple zone-pairs and policy-maps for different types of traffic between zones. For example, you can create one zone-pair for HTTP traffic and another zone-pair for FTP traffic between the same zones.
Zone-Based Policy Firewall provides several benefits over interface-based firewall, such as:
• It simplifies the firewall configuration and management by using zones instead of interfaces.
• It improves the firewall performance and scalability by using stateful inspection and application inspection.
• It enhances the firewall security and flexibility by using granular policies and actions.
• It supports various features and functions, such as VPNs, NATs, IPSs, QoSs, IPv6s, and MPLSs.