Configuring Zone based Firewall

Configuring Zone based Firewall

Posted on Jan 27, 2020 (0)

Configuring Zone based Firewall

Below is the steps defined for CLI.

CLI Configuration Procedure:

Create lists of IP prefixes:

vEdge(config)# policy
vEdge(config-policy)# lists data-prefix-list list-name
vEdge(config-data-prefix-list)# ip-prefix prefix/length

Configure a source zone ,this is a group of VPNs from which data traffic flows.

vEdge(config)# policy zone source-zone-name
vEdge(config-zone)# vpn vpn-id

Configure a destination zone, this is a group of VPNs to which data traffic flows.

vEdge(config)# policy zone destination-zone-name
vEdge(config-zone)# vpn vpn-id

Create a zone-based firewall policy:

vEdge(config)# policy zone-based-policy policy-name

Create a series of match–action pair sequences:

vEdge(config-zone-based-policy)# sequence number

Define match parameters for the data traffic:

vEdge(config-sequence-number)# match match-parameter

Define actions to take when a match occurs:

vEdge(config-sequence)# action drop
vEdge(config-sequence)# action inspect
vEdge(config-sequence)# action log
vEdge(config-sequence)# action pass

Define the default action, when data traffic does not match the conditions:

vEdge(config-policy-name)# default-action (drop | inspect | pass)

If you do not include VPN 0 in any of the zones that you configure in a zone-based firewall, by default, packets are able to reach destination zones that are accessible only over the public internet. You can also disallow this traffic.

vEdge(config)# policy zone-to-no-zone-internet (allow | deny)

Create a zone pair, and define the source and destination zones in that pair and the zone-based firewall policy to apply to the flows between those two zones:

vEdge(config)# policy zone-pair pair-name
vEdge(config-zone-pair)# source-zone source-zone-name
vEdge(config-zone-pair)# destination-zone destination-zone-name
vEdge(config-zone-pair)# zone-policy policy-name

Example 1 isolating two VPNs

Here let see the topology, which describes the following and also defines the flow between different VPNs.

  • VPN1 used for Guest network
  • VPN 2 for enterprise employee network
  • VPN 3 for shared services.


Define the Zone for these above VPNs.

vEdge(config)# policy
vEdge(config-policy)# zone guest-zone vpn 1
vEdge(config-policy)# zone enterprise-employee-zone vpn 2
vEdge(config-policy)# zone shared-services-zone vpn 3

Now lets configure zone based policy in such a way that traffic from VPN 1 and VPN2 is allowed to VPN 3 which has subnet But traffic should not go in reverse direction.

vEdge(config-policy)# zone-based-policy vpn-isolation-policy
vEdge(config-zone-based-policy)# sequence 10
vEdge(config-sequence)# match destination-ip
vEdge(config-sequence)# action pass

Any traffic that does not match the zone-based firewall policy drop it.

vEdge(config-zone-based-policy)# default-action drop

Apply the zone-based firewall policy to the zones. Here is the zone pairing between the guest and the services zone:

vEdge(config-policy)# zone-pair guest-services-pairing
vEdge(config-zone-pair)# source-zone guest-zone
vEdge(config-zone-pair)# destination-zone shared-services-zone
vEdge(config-zone-pair)# zone-policy vpn-isolation-policy

And here is the pairing between the employee zone and the services zone:

vEdge(config-policy)# zone-pair enterprise-employee-services-pairing
vEdge(config-zone-pair)# source-zone enterprise-employee-zone
vEdge(config-zone-pair)# destination-zone shared-services-zone
vEdge(config-zone-pair)# zone-pair enterprise-employee-services-pairing


    You are will be the first.


Please login here to comment.