What are Class Maps used for?
Class maps are used to identify traffic. Class maps can refer to ACL's to to identify traffic.
- match-all condition = all entries must match
- match-any condition = only a single entry must match
What do Policy Maps do?
These are the actions that should be taken on the traffic that is identified by class maps. The actions are as follows:
- Inspect - Permit traffic and add an entry to the stateful database (for return traffic to come back)
- Pass - Permit but do not make stateful database entry
- Drop - Deny the packet
- Log - Log the dropped packets
What are Service Policies used for?
This is where you apply the policies, identified from a policy map to a zone pair.
What command would be used to view "inspect" class maps?
# show class-map type inspect
How do you view policy map sessions?
# show policy-map type inspect zone-pair < zone-pair-name> sessions
What command can help you figure out if NAT is working?
# show ip nat translations
What are the four possible actions on traffic that meets a zone-based firewall policy map?
Inspect - Permit and statefully inspect the traffic (traffic that comes from a device that expects reply traffic)
Pass - Permits / allows the traffic but does not create an entry in the stateful database (traffic that does not need a reply)
Log - Log the packets (add this to the dropped action on a policy to see information about packets that were stopped)
Drop - Deny the packet