Which of the following statements are true regarding a ZFW? (Select 2 choices.)
- A zone can contain more than one interface.
- An interface can reside in more than one zone.
- The firewall can operate in transparent mode.
- Stateful packet inspection is supported for multicast traffic.
- Stateful packet inspection is supported for IPv6 traffic.
With a zonebased policy firewall (ZFW), a zone can contain more than one interface and the firewall can operate in transparent mode. ZFW is the latest iteration of Cisco’s stateful firewall implementation, which was formerly called ContextBased Access Control (CBAC). With ZFW, virtual security zones are specified and then interfaces are assigned to the appropriate zone. A zone may contain more than one interface? however, an interface may not be assigned to more than one zone.
By default, all traffic is implicitly permitted to flow between interfaces that have been assigned to the same zone? however, all traffic between zones is blocked. In addition, all traffic to and from an interface is implicitly blocked by default when the interface is assigned to a zone, but there are a few exceptions. Traffic to or from other interfaces in the same zone is permitted, as is traffic to or from the router itself.
In order for traffic to flow between zones, stateful packet inspection policies must be configured to explicitly permit traffic between zones. Inspection rules can be created for a large number of traffic types, including the following:
– Domain Name System (DNS)
– Internet Control Message Protocol (ICMP)
– Network Basic Input/Output System (NetBIOS)
– Sun Remote Procedure Call (RPC)
However, stateful inspection of IP version 6 (IPv6) traffic and multicast traffic, such as Internet Group Management Protocol (IGMP), is not supported by a ZFW and must be handled by other security features, such as Control Plane Policing (CoPP).
A ZFW can operate in transparent mode or in routed mode. In transparent mode, a ZFW operates as a Layer 2 firewall, bridging traffic between interfaces and filtering traffic at Layer 3 through Layer 7. The trusted and untrusted interfaces of the firewall are connected to the same IP subnet, and the firewall bridges traffic between the interfaces. By contrast, a ZFW in routed mode operates as a Layer 3 firewall, routing traffic between interfaces and filtering traffic at Layer 3 through Layer 7. The trusted and untrusted interfaces of the firewall are on different IP subnets, and the firewall routes traffic between the interfaces.