When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a traffic class? (Choose three.)

When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a traffic class? (Choose three.)
A . pass
B . police
C . inspect
D . drop
E . queue
F . shape

View Answer

Answer: A,C,D

Explanation:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994+shtml

Zone-Based Policy Firewall Actions

ZFW provides three actions for traffic that traverses from one zone to another:

Drop ― This is the default action for all traffic, as applied by the "class class-default" that terminates every inspect-type policy-map. Other class-maps within a policy-map can also be configured to drop unwanted traffic.

Traffic that is handled by the drop action is "silently" dropped (i.e., no notification of the drop is sent to the relevant end-host) by the ZFW, as opposed to an ACL’s behavior of sending an ICMP “host unreachable” message to the host that sent the denied traffic. Currently, there is not an

option to change the "silent drop" behavior. The log option can be added with drop for syslog notification that traffic was dropped by the firewall.

Pass ― This action allows the router to forward traffic from one zone to another. The pass action does not track the state of connections or sessions within the traffic. Pass only allows the traffic in one direction. A corresponding policy must be applied to allow return traffic to pass in the opposite direction. The pass action is useful for protocols such as IPSec ESP, IPSec AH, ISAKMP, and other inherently secure protocols with predictable behavior.

However, most application traffic is better handled in the ZFW with the inspect action.

Inspect―The inspect action offers state-based traffic control. For example, if traffic from the private zone to the Internet zone in the earlier example network is inspected, the router maintains connection or session information for TCP and User Datagram Protocol (UDP) traffic. Therefore, the router permits return traffic sent from Internet-zone hosts in reply to private zone connection requests. Also, inspect can provide application inspection and control for certain service protocols that might carry vulnerable or sensitive application traffic. Audit-trail can be applied with a parameter-map to record connection/session start, stop, duration, the data volume transferred, and source and destination addresses.