Which option is the resulting action in a zone-based policy firewall configuration with these
conditions?
A.
no impact to zoning or policy
B.
no policy lookup (pass)
C.
drop
D.
apply default policy
Explanation:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-zone-polfw.html
Zone Pairs
A zone pair allows you to specify a unidirectional firewall policy between two security zones.
To define a zone pair, use the zone-pair security command. The direction of the traffic is specified by
source and destination zones. The source and destination zones of a zone pair must be security
zones.
You can select the default or self zone as either the source or the destination zone. The self zone is a
systemdefined zone which does not have any interfaces as members. A zone pair that includes the
self zone, along with the associated policy, applies to traffic directed to the device or traffic
generated by the device. It does not apply to traffic through the device.
The most common usage of firewall is to apply them to traffic through a device, so you need at least
two zones (that is, you cannot use the self zone).
To permit traffic between zone member interfaces, you must configure a policy permitting (or
inspecting) traffic between that zone and another zone. To attach a firewall policy map to the target
zone pair, use the servicepolicy type inspect command.
The figure below shows the application of a firewall policy to traffic flowing from zone Z1 to zone Z2,
which means that the ingress interface for the traffic is a member of zone Z1 and the egress
interface is a member of zone Z2.
Figure 2. Zone Pairs
If there are two zones and you require policies for traffic going in both directions (from Z1 to Z2 and
Z2 to Z1), you must configure two zone pairs (one for each direction).
If a policy is not configured between zone pairs, traffic is dropped. However, it is not necessary to
configure a zone pair and a service policy solely for the return traffic. By default, return traffic is notallowed. If a service policy inspects the traffic in the forward direction and there is no zone pair and
service policy for the return traffic, the return traffic is inspected. If a service policy passes the traffic
in the forward direction and there is no zone pair and service policy for the return traffic, the return
traffic is dropped. In both these cases, you need to configure a zone pair and a service policy to allow
the return traffic. In the above figure, it is not mandatory that you configure a zone pair source and
destination for allowing return traffic from Z2 to Z1. The service policy on Z1 to Z2 zone pair takes
care of it.
