Skip to main content
Cisco SD-WAN
Product Documentation
Viptela Documentation

Zone-Based Firewalls

Zone-based firewalls are a type of localized data policy that allows stateful inspection of TCP, UDP, and ICMP data traffic flows. Traffic flows that originate in a given zone are allowed to proceed to another zone based on the policy between the two zones. A zone is a grouping of one or more VPNs. Grouping VPNs into zones allows you to establish security boundaries in your overlay network so that you can control all data traffic that passes between zones.

Zone configuration consists of the following components:

  • Source zone—A grouping of VPNs where the data traffic flows originate.
  • Destination zone—A grouping of VPNs where the data traffic flows terminate. A VPN can be part of only one zone
  • Zone-based firewall policy—A data policy, similar to a localized data policy, that defines the conditions that the data traffic flow from the source zone must match to allow the flow to continue to the destination zone. Zone-based firewalls can match IP prefixes, IP ports, and the protocols TCP, UDP, and ICMP. Matching flows can be accepted or dropped, and the packet headers can be logged. Nonmatching flows are dropped by default.
  • Zone pair—A container that associates a source zone with a destination zone and that applies a zone-based firewall policy to the traffic that flows between the two zones.

Matching flows that are accepted can be processed in two different ways:

  • Inspect—The packet's header can be inspected to determine its source address and port. The address and port are used by the NAT device to allow traffic to be returned from the destination to the sender.
  • Pass—Allow the packet to pass to the destination zone without inspecting the packet's header at all. With this action, the NAT device blocks return traffic that is addressed to the sender.

The following figure shows a simple scenario in which three VPNs are configured on a vEdge router. One of the VPNs, VPN 3, has shared resources that you want to restrict access to. These resources could be printers or confidential customer data, For the remaining two VPNs in this scenario, only users in one of them, VPN 1, are allowed to access the resources in VPN 3, while users in VPN 2 are denied access to these resources. In this scenario, we want data traffic to flow from VPN 1 to VPN 3, but we do not want traffic to flow in the other direction, from VPN 3 to VPN 1.


Zone-based firewalls perform stateful inspection of TCP, UDP, and ICMP flows between zones. They examine the source and destination IP addresses and ports in the packet headers, as well as the packet's protocol. Then, based on the configured zone-based policy, they allow traffic to pass between the zones or they drop the traffic,

The implementation of zone-base firewalls varies slightly to that of localized data policy. Where you configure and apply localized data policy based only on VPNs, you configure and apply zone-based firewalls one or more VPNs that have been grouped into a zone. You activate localized localized data policy by applying it to individual interfaces on the vEdge routers. When activate zone-based firewalls, the apply to the specific VPNs in the zones, without regard to any specific interfaces.

  • Was this article helpful?