search

sapcc / asr1k-neutron-l3

Cisco ASR 1000 Neutron L3 driver
Apache License 2.0
4 stars 1 forks source link

Zone Based Firewall does L7 inspection even though configured not to do so #46

Closed swagner-de closed 3 years ago

swagner-de commented 3 years ago

TAC

TAC Case 691170876 is open for this.

Problem Description

When using the ASR1Ks Zone Based Firewall feature, we specifically want to deliver only L4 inspection and stateful firewalling but no L7 inspection.

Consider a VRF that has one outside (BD-VIF7005) and inside interfaces (all remaining). Firewalling should be done between outside and inside, but also vice versa. VRF Configuration:

qa-de-1-rt12a#show run vrf 7e2a161a85fd454f8838bc4de9563333
Building configuration...

Current configuration : 1894 bytes
vrf definition 7e2a161a85fd454f8838bc4de9563333
description Router 7e2a161a-85fd-454f-8838-bc4de9563333
rd 65148:34352
!
address-family ipv4
export map exp-7e2a161a85fd454f8838bc4de9563333
exit-address-family
!
!
interface BD-VIF6856
description 7e2a161a-85fd-454f-8838-bc4de9563333
mac-address fa16.3e41.fcd8
mtu 8950
vrf forwarding 7e2a161a85fd454f8838bc4de9563333
ip address 10.180.5.1 255.255.255.0
ip nat stick
zone-member security ZN-FWAAS-7e2a161a85fd454f8838bc4de9563333-in
ip policy route-map pbr-7e2a161a85fd454f8838bc4de9563333
!
interface BD-VIF7005
description 7e2a161a-85fd-454f-8838-bc4de9563333
mac-address fa16.3e4c.ab0e
mtu 8950
vrf forwarding 7e2a161a85fd454f8838bc4de9563333
ip address 10.237.208.24 255.255.255.0
ip nat outside
ip access-group EXT-TOS out
zone-member security ZN-FWAAS-7e2a161a85fd454f8838bc4de9563333-out
ip policy route-map EXT-TOS
!
interface BD-VIF7154
description 7e2a161a-85fd-454f-8838-bc4de9563333
mac-address fa16.3ead.1e11
mtu 8950
vrf forwarding 7e2a161a85fd454f8838bc4de9563333
ip address 10.180.6.1 255.255.255.0
ip nat stick
zone-member security ZN-FWAAS-7e2a161a85fd454f8838bc4de9563333-in
ip policy route-map pbr-7e2a161a85fd454f8838bc4de9563333
ip nat inside source static 10.180.5.10 10.237.208.9 vrf 7e2a161a85fd454f8838bc4de9563333 redundancy 1 mapping-id 621668109 match-in-vrf
ip nat inside source static 10.180.6.5 10.237.208.35 vrf 7e2a161a85fd454f8838bc4de9563333 redundancy 1 mapping-id 56444491 match-in-vrf
ip nat inside source list NAT-7e2a161a85fd454f8838bc4de9563333 interface BD-VIF7005 vrf 7e2a161a85fd454f8838bc4de9563333 overload
!
ip route vrf 7e2a161a85fd454f8838bc4de9563333 0.0.0.0 0.0.0.0 10.237.208.1
ip route vrf 7e2a161a85fd454f8838bc4de9563333 10.180.64.5 255.255.255.255 10.180.5.11
ip route vrf 7e2a161a85fd454f8838bc4de9563333 10.180.64.6 255.255.255.255 10.180.6.9
end

ZBF Config:

ip access-list extended ACL-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN
10 permit tcp any any eq www
20 permit udp any any eq domain
30 permit icmp any any echo

ip access-list extended ACL-FWAAS-7e2a161a85fd454f8838bc4de9563333-IN2OUT
10 permit ip any any

class-map type inspect match-all CM-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN
match access-group name ACL-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN

class-map type inspect match-all CM-FWAAS-7e2a161a85fd454f8838bc4de9563333-IN2OUT
match access-group name ACL-FWAAS-7e2a161a85fd454f8838bc4de9563333-IN2OUT

policy-map type inspect PM-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN
class type inspect CM-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN
inspect PAM-FWAAS-FWAAS
class class-default
drop log

policy-map type inspect PM-FWAAS-7e2a161a85fd454f8838bc4de9563333-IN2OUT
class type inspect CM-FWAAS-7e2a161a85fd454f8838bc4de9563333-IN2OUT
inspect PAM-FWAAS-FWAAS
class class-default
drop log

zone security ZN-FWAAS-7e2a161a85fd454f8838bc4de9563333-in
zone security ZN-FWAAS-7e2a161a85fd454f8838bc4de9563333-out

zone-pair security ZP-FWAAS-7e2a161a85fd454f8838bc4de9563333-IN2OUT source ZN-FWAAS-7e2a161a85fd454f8838bc4de9563333-in destination ZN-FWAAS-7e2a161a85fd454f8838bc4de9563333-out
service-policy type inspect PM-FWAAS-7e2a161a85fd454f8838bc4de9563333-IN2OUT
zone-pair security ZP-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN source ZN-FWAAS-7e2a161a85fd454f8838bc4de9563333-out destination ZN-FWAAS-7e2a161a85fd454f8838bc4de9563333-in
service-policy type inspect PM-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN

As you can see I try to keep the class-maps as short as possible, explicitly not coupling them with match-all and match tcp statements, as we plan to replicate this piece of configuration 100s of times with different ACLs and adding match tcp, match udp, match icmp would basically drastically reduce the scale we can deploy this configuration. In terms of scale, I refer to the 1000 match statements global limit mentioned here:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-17/sec-data-zbf-xe-17-book/m_sec-zone-pol-fw-xe.html

You can configure a maximum of 16 match statements in a class map and 1000 globally.

So now in order to have ZBF only do L4 firewalling, I bind a parameter map on the inspect in the policy-map. See my parameter maps here:

parameter-map type inspect-vrf PAM-FWAAS-FWAAS-POLICE
session total 100000
tcp syn-flood limit 2000
parameter-map type inspect-global
icmp-unreachable-allow
no application-inspect all
inspect vrf 7e2a161a85fd454f8838bc4de9563333 PAM-FWAAS-FWAAS-POLICE
zone-mismatch drop
parameter-map type inspect PAM-FWAAS-FWAAS
no application-inspect all
log dropped-packets
zone-mismatch drop

From the docs I read that I can disable L7 inspection as I did it.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-17/sec-data-zbf-xe-17-book/m_zbf_enable_alg_aic.html

With this feature you can enable or disable Layer 7 inspection by using the no application-inspect command.

However when I do

qa-de-1-rt12a#show policy-map type inspect zone-pair ZP-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN
Zone-pair: ZP-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN
Service-policy inspect : PM-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN

Class-map: CM-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN (match-all)
Match: access-group name ACL-FWAAS-7e2a161a85fd454f8838bc4de9563333-OUT2IN
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:46493]
http packets: [0:258996]
dns packets: [0:47056]
[...]

I can see that the ZBF does inspect them on L7 which is different than what I see if I explicitly tell the feature to i.e. treat the http traffic as pure tcp in the class-maps match statement.

swagner-de commented 3 years ago

This seems to be displayed only but not inspection is taking place. After clarification with the BU, this response was provided:

By other hand, for answering your qestion about why the ‘show policy-map type inspect zone-pair [z[ne-oair-name]’was displaying hitcounts in the inspect section, they confirmed to me these are just statitics/counters and this does not mean this is indeed doing L7 inspection.

ASR1002-HX# show policy-map type inspect zone-pair ZP-OUT2IN
  Zone-pair: ZP-OUT2IN
  Service-policy inspect : PM-OUT2IN

    Class-map: CM-OUT2IN (match-any) 
      Match: protocol http
      Match: protocol telnet
      Match: protocol dns
      Match: protocol icmp
      Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [0:448]
        icmp packets: [0:1157948]
        http packets: [0:658]
        dns packets: [0:17370]

        Session creations since subsystem startup or last reset 6489
        Current session counts (estab/half-open/terminating) [3:0:0]
        Maxever session counts (estab/half-open/terminating) [4:12:0]
        Last session created 00:00:21
        Last statistic reset never
        Last session creation rate 6
        Last half-open session total 0

3.- The only way for confirming if the ZBF is doing L7 inspection for specific protocols is by executing the following command ‘show plat hardware qfp active feature alg statistics’, here an example from my lab tests for the DNS traffic when the ‘no application-inspect all’ was and was not in place: