Zone-Based Policy Firewall (ZFW)

Cisco IOS® Software Release 12.4(6)T introduced Zone-Based Policy Firewall (ZFW), a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic.

Nearly all classic Cisco IOS Firewall features implemented before Cisco IOS Software Release 12.4(6)T are supported in the new zone-based policy inspection interface:

• Stateful packet inspection

• VRF-aware Cisco IOS Firewall

• URL filtering

• Denial-of-Service (DoS) mitigation

Cisco IOS Software Release 12.4(9)T added ZFW support for per-class session/connection and throughput limits, as well as application inspection and control:

• HTTP

• Post Office Protocol (POP3), Internet Mail Access Protocol (IMAP), Simple Mail Transfer Protocol/Enhanced Simple Mail Transfer Protocol (SMTP/ESMTP)

• Sun Remote Procedure Call (RPC)

• Instant Messaging (IM) applications:

  • Microsoft Messenger

  • Yahoo! Messenger

  • AOL Instant Messenger

• Peer-to-Peer (P2P) File Sharing:

  • Bittorrent

  • KaZaA

  • Gnutella

  • eDonkey

Cisco IOS Software Release 12.4(11)T added statistics for easier DoS protection tuning.

Some Cisco IOS Classic Firewall features and capabilities are not yet supported in a ZFW in Cisco IOS Software Release 12.4(15)T:

• Authentication proxy

• Stateful firewall failover

• Unified firewall MIB

• IPv6 stateful inspection

• TCP out-of-order support

ZFW generally improves Cisco IOS performance for most firewall inspection activities.

Neither Cisco IOS ZFW or Classic Firewall include stateful inspection support for multicast traffic.

Best Regards,
Deepak Arora