Zone-Based Policy Firewall Configuration | Cisco 400-251 Exam Answer

Required Configuration Steps for Zone-Based Policy Firewall | Cisco 400-251 Exam Answer

Prev Question Next Question


Which four configuration steps are required to implement a zone-based policy firewall configuration on a Cisco IOS router? (Choose four.)



Click on the arrows to vote for the correct answer

A. B. C. D. E. F. G.


Zone-Based Policy Firewall (ZFW) is a security feature in Cisco IOS routers that provides a flexible and configurable policy-based firewall solution. It uses the concept of security zones to group network interfaces with similar security requirements and controls traffic flow between the zones based on defined policies.

The four configuration steps required to implement a zone-based policy firewall configuration on a Cisco IOS router are:

A. Create the security zones and security zone pairs:

This is the first step in configuring a zone-based firewall. A security zone is a logical grouping of network interfaces that share the same security requirements. A security zone pair is a connection between two security zones. A router can have multiple security zones and zone pairs.

For example, you may create three security zones: Zone1 for the internal network, Zone2 for the DMZ, and Zone3 for the Internet. Then, create the zone pairs as needed to allow or deny traffic between the zones.

B. Create the self-zone:

The self-zone is a pre-defined zone in a zone-based firewall that represents the router itself. It is a security best practice to create an explicit rule that blocks all traffic to or from the self-zone to other zones unless specifically allowed.

C. Create the default global inspection policy:

The default global inspection policy specifies the inspection rules for traffic that is not matched by any type inspect policy. It defines what traffic is allowed and what traffic is denied by default. You can modify the default global inspection policy to match the specific requirements of your network.

D. Create the type inspect class maps and policy maps:

Class maps define the match criteria for traffic inspection, while policy maps define the action to be taken on the matched traffic. You can create multiple class maps and policy maps to match different types of traffic and apply different actions.

For example, you may create a class map that matches all HTTP traffic and a policy map that allows or denies HTTP traffic based on the source and destination zones.

E. Assign a security level to each security zone:

Each security zone is assigned a security level that defines its relative trustworthiness compared to other zones. A higher security level indicates a more trusted zone, while a lower security level indicates a less trusted zone.

F. Assign each router interface to a security zone:

Each router interface is assigned to a security zone. You can assign multiple interfaces to the same zone, but an interface can only be assigned to one zone.

G. Apply a type inspect policy map to each zone pair:

Finally, you apply a type inspect policy map to each zone pair to specify the actions to be taken on traffic between the zones. You can create different policies for different zone pairs.

For example, you may apply a policy map that allows HTTP traffic from Zone1 to Zone2 but denies HTTP traffic from Zone1 to Zone3.