
Zone Based Firewalls use the [inspect keyword](/zbfw-inspect-keyword) on class maps and policy maps to inspect traffic all the way up to Layer 7 of the [OSI Model](/osi-model).  However, in such cases, when inspecting stateless communication, such as that of [ICMP](/icmp) communication, some interesting behaviors may be observed.

ICMP is stateless, so it does not involve explicit session initiation or termination that are seen in [TCP](/tcp)-based communication.  This means that meaning any replies to ICMP packets are allowed temporarily by creating an exception in the firewall state table. This temporary allowance enables ICMP traffic to flow back to the initiator but will expire after a specific timeout period.  During that time period, it may be possible to initiate additional ICMP traffic that will temporarily be allowed due to that short-lived exception that is created in the state table.  This has been tested in an emulator and has been see in in practice. On the other hand, a protocol like [Telnet](/telnet) uses TCP, which is stateful and involves specific session tracking, thus disallowing unsolicited inbound connections.

As always, such behaviors may vary from platform to platform and from OS to OS, so test them out on your topologies to confirm their behavior.

## Links

https://networklessons.com/cisco/ccie-routing-switching/zone-based-firewall-configuration-example/

ZBFW and ICMP Behavior

Virtual Router Redundancy Protocol (VRRP)

Virtual Template Configuration

Virtualization functions - definition of terms

VoIP - Anatomy of a voice communication

VoIP IP phone registration issues

WAN - edge equipment names and terminology

WAN - how to choose a WAN technology

WAN - what is BVDSL

WAP Local Mode vs Monitor Mode for Rogue Detection

WFQ and CBWFQ Comparison

WRED Mark Probability Denominator (MPD) in Byte-Based Mode

WRED for Single and Multiple Queues

Wake on LAN

Weighted Fair Queuing (WFQ)

Why do we trust a website certificate

Wide Area Network

Wireless - Aggressive Client Load Balancing

Wireless - CAPWAP tunnel

Wireless - CSMA-CA

Wireless - FlexConnect Mode

Wireless - Light Weight Access Point Protocol (LWAPP)

Wireless - Lightweight Access Point

Wireless - Meraki Management Mode

Wireless - Orthogonal Frequency Division Multiple Access (OFDMA)

Wireless - Real-time and management functions

Wireless - Using GCMP with WPA2 and WPA3

Wireless - WLC authbypass feature

Wireless - WLC trunk connection to core

Wireless - WPA3

Wireless - Wi-Fi 2.4GHz frequency band and channels

Wireless - Wi-Fi 5 GHz frequency bands and channels

Wireless - Wi-Fi 6

Wireless - Wi-Fi 6E (Extended)

Wireless - Wi-Fi IEEE 802.11

Wireless - Wi-Fi Protected Access (WPA)

Wireless - Wired Equivalent Privacy (WEP)

Wireless - Wireless LAN Controller

Wireless - configure a 1941W router with a single subnet on wired and wireless interfaces

Wireless - repeater vs mesh

Wireless - troubleshooting wireless clients on a WLC

Wireless - virtual WLC limitations

Wireless 802.11 Learning Path Recommendations

Wireless AP FlexConnect mode switchport mode

Wireless AP Rogue Detection Mode

Wireless Fast BSS Transition

Wireless Service Sets

Wireless roaming defined

Wireshark

YANG

ZBFW inspect Keyword

aaa authorization exec Command in Cisco IOS

cisco ios cli show command double pipe

cisco ios delete folder on flash

debug order of operation

docker iptables

getting a network job without experience

how to study amazon aws

mGRE

networking job interviews

no ip mroute-cache deprecated command

openssl default folder and files

openssl second ca

radtest command to test radius server

regular expressions testing

traffic generator options

vEdge and Cisco Catalyst 8000V Licensing for SD-WAN Labbing

xDSL - what is it and what types are there