Zone-Based Policy Firewall Design Guide - Cisco Systems
Zone-Based Policy Firewall Design Guide
Cisco IOS Software Release 12.4(6)T introduced a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall zones until an explicit policy is applied to allow desirable traffic.
Nearly all firewall features implemented prior to Cisco IOS Software Release 12.4(6)T are supported in the new zone-based policy inspection interface; supported features are as follows:
• Stateful packet inspection
• Application inspection
-
-
-
• VRF-aware Cisco IOS Firewall
•URL filtering
• Denial-of-service (DoS) mitigation
Zone-based policy firewall generally improves Cisco IOS performance for most firewall inspection activities.
The only Cisco IOS Firewall features that are not supported in zone-based policy firewall in Cisco IOS Software Release 12.4(6)T are as follows:
• Authentication proxy
• Stateful firewall failover
• Unified firewall MIB
