Which of the following statements is true regarding ZFW traffic action characteristics? (Select the best answer.)
A.
The pass action is bidirectional and automatically permits return traffic.
B.
The inspect action is unidirectional and can be used to maintain state information.
C.
The drop action silently discards packets and does not generate ICMP host unreachable messages.
D.
The pass action can provide an audit trail including session start, stop, and duration values.
Explanation:
The drop action in a zonebased policy firewall (ZFW) configuration silently discards packets and does not
generate Internet Control Message Protocol (ICMP) host unreachable messages. ZFWs include many of the
features of previous firewall versions, including stateful packet inspection and Uniform Resource Locator (URL)
filtering. However, several new firewall features are also included, such as the ability to create security zones to
which security policies can be applied. With ZFWs, policies are applied to a security zone pair rather than to an
interface. This provides for more granular implementation of firewall policies? different policies can be applied
to hosts connected to the same interface. Before a policy can be applied to an interface, the interface must be
added to a zone. To permit traffic from one zone to another, you must create a zone pair between the zones.
Once you have configured zones and zone pairs, you can apply one of three actions, pass, drop, or inspect, to
the traffic between the zones.
The drop action is the default action that is applied to traffic sent from one zone to another on a router that is
configured with a ZFW. Unless a policy has been configured to allow traffic to be sent between two zones, the
traffic will be dropped.
The pass action can be applied to permit traffic from one zone to another. However, because the pass action is
unidirectional, no return traffic will be allowed by the pass action. Another policy would need to be applied in the
destination zone to allow return traffic to the originating zone.
The inspect action can be used to maintain state information for a connection sent through a ZFW.
Consequently, unlike the pass action, the inspect action is bidirectional and will allow return traffic to the zone
from the destination. For example, if a ZFW is used in between an internal network and the Internet, the inspect
action can be used to allow the internal hosts to retrieve information from the Internet. That is, data from the
Internet will be permitted by the inspect action. In addition, the inspect action can provide an audit trail including
session start time, stop time, duration, quantity of data transferred, and source and destination IP addresses.Reference:
Cisco: ZoneBased Policy Firewall Design and Application Guide: Configuring ZoneBased Policy Firewall
PolicyMapsCategory:
Cisco Firewall Technologies