ZBPF Transparent Mode lab exercise from Technologies Workbook


I have some confusion with this exercise.

the task reads:


  • Configure two security zones on R3: VLAN123 and VLAN34.
  • CMP traffic initiated from VLAN123 zone should match the following output:

    %FW-6-PASS_PKT: (target:class)-(VLAN123_TO_VLAN34:ICMP) Passing icmp pkt => with ip ident 0

  • Inspect HTTP traffic on ports 80 and 21 destined for R4's Loopback0 address.

The task seem straightforward - configure a zone-pair from source vlan123 to destination vlan34 and then inspect ICMP and HTTP.

The answer shows that the class-maps call ACLs for ICMP and HTTP.  I do not understand why that is necessary if we can just "match protocol" in the class-map.

I get that we need to map port 21 to HTTP with an ACL specifying R4's loopback.

also, the answer shows TWO zone-pairs, one for each direction, but the task does not say to do that, so I dont understand why it is necessary.  what is the point of the inspection policy if there is a zone-pair required in both directions just to let a ping go from R1 to R4 and back?  Isnt the zone-pair supposed to be a stateful inspection?

Somebody please explain why the extra config is required.



  • Hi,  

        You can just match on protocol, correct; the solution just gives you another way of matching it. Based on the log, ICMP traffic needs to match a pass action, thus for PING to wotk, you need policies both ways between zones with pass action for ICMP; also based on the last task requirement which says "Configure R3 to log for traffic not matching any of the configured class-maps", you need the log action in the default class-map in both directions.



Sign In or Register to comment.