How To Enable ZBFW with a Single Command

Julio Carvajal · ‎02-03-2014

Have you ever worked with a ZBFW deployment where you think the FW is the issue but you are not totally sure so your next troubleshooting step is to disable it to see if you were right???

Well.. While I was a Cisco TAC engineer that was one of the steps that we used to perform in order to probe the customer those were not Firewall issues.

The thing is for that to happen we needed to get into each of the interfaces and disable the feature.

Easy enough:

R4(config)#interface fastethernet0/0
R4(config-if)#no zone-member security Outside

Now I will ask you something.. What happens if you have one interface in one zone and another without any zone assigned??

Traffic will be disrupted, no communication will happen withing those 2 interfaces. So you might break everything while doing this.

The solution is make sure you disable both at the same time or close enough.

How to accomplish that:

1. Easy method (Non technical Option)

Copy all of the commands into a notepad file and then just copy paste into the Router. Make sure all of the commands will be written to the router.

2. EEM Advanced Method (Only for High Level Engineers)

Using the Embedded Event Manager feature on the IOS router you can disable and enable the router with just one command, as amazing as that.

Note: EEM is a tool that allow us to automatize the processes on a router.

How to configure this:

We will write down 2 scripts: One to disable the ZBFW and then one to Enable it.
Those scripts will be run manually due to the event none command.
Run the Event Manager Applet Previously configured.

Script to Disable the ZBFW Feature

Jcarvaja(config)#event manager applet Zone_OFF
Jcarvaja(config-applet)#event none
Jcarvaja(config-applet)#action 1.0 cli command "enable"

Jcarvaja(config-applet)#action 1.1 cli command "configure terminal"
Jcarvaja(config-applet)# action 2.0 cli command "interface fa 0/0"
Jcarvaja(config-applet)# action 2.1 cli command "no zone-member security Outside"
Jcarvaja(config-applet)# action 3.0 cli command "interface fa 0/1"
Jcarvaja(config-applet)# action 3.1 cli command "no zone-member security Inside"
Jcarvaja(config-applet)#action 4.0 syslog msg "IOS ZBFW has been disabled"

Script to Enable the ZBFW Feature

Jcarvaja(config)#event manager applet Zone_ON
Jcarvaja(config-applet)#event none
Jcarvaja(config-applet)#action 1.0 cli command "enable"

Jcarvaja(config-applet)#action 1.1 cli command "configure terminal"
Jcarvaja(config-applet)#action 2.0 cli command "interface fa 0/0"
Jcarvaja(config-applet)#action 2.1 cli command "zone-member security Outside"
Jcarvaja(config-applet)#action 3.0 cli command "interface fa 0/1"
Jcarvaja(config-applet)#action 3.1 cli command "zone-member Inside"
Jcarvaja(config-applet)#action 4.0 syslog msg "IOS ZBFW has been enabled"

That's it! Those are the scripts needed. Now let's see them working.

With the command show zone security we can see that ZBFW is not enabled in this IOS router.

Jcarvaja#sh zone security
zone self
Description: System defined zone
zone Inside
zone Outside
Jcarvaja#

Let's enable ZBFW with the EEM script previously configured

Jcarvaja#event manager run Zone_ON
Jcarvaja#
*Mar 1 00:25:42.567: %HA_EM-6-LOG: Zone_ON: IOS ZBFW has been enabled
Jcarvaja#

We can see the log being shown , that's a good notice. Let's run the show zone security again:

Jcarvaja#sh zone security
zone self
Description: System defined zone
zone Inside
Member Interfaces:
FastEthernet0/1
zone Outside
Member Interfaces:
FastEthernet0/0

Sweet!!! Now let's disable it:

Jcarvaja#event manager run Zone_OFF
Jcarvaja#
*Mar 1 00:26:52.307: %HA_EM-6-LOG: Zone_OFF: IOS ZBFW has been disabled
Jcarvaja#

Jcarvaja#sh zone security
zone self
Description: System defined zone
zone Inside
zone Outside
Jcarvaja#

With this command you will avoid Down-Times while removing and putting back into action ZBFW.

That's today tutorial. Hope you like it

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com for more tutorials