Security: Zone based policy firewall

Supposed you have a FTP and TFTP server in the inside interface, you want to control outside to inside ftp and tftp connection establishment.

Create parameter map

parameter-map type inspect param-1
audit-trail on (Turn on audit trail)
udp idle-time 60 (Set udp idle time to 1min)

alert on (default is on, I cannot see this option in show run | s parameter-map, this is to turn on alert on your console)
icmp idle-time 5 (ICMP idle time to be 5 seconds)
dns-timeout 60 (dns timeout set to 1min)
tcp max-incomplete host 10 block-time 10 (tcp syn flood prevention. Block a host that is establishing more than 10 embryonic session for 10mins)
sessions maximum 1000 (maximum session to be 1000)

Create class map

class-map type inspect match-any cmap-2
description FTP and TFTP classification
match protocol ftp
match protocol tftp

Create policy-map

policy-map type inspect pmap-2
description Policy based on cmap-2
class type inspect cmap-2
inspect param-1
police rate 512000 burst 96000
class class-default

Apply policy to zone-pairs

zone-pair security out-to-in source outside destination inside
service-policy type inspect pmap-2

Normal burst value: configured burst (bps) / 8 to become bytes, multiply by 1.5 seconds

Extended burst: double of normal burst value.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s