The zone-based firewall creates sessions for traffic that flows from a source zone to a destination zone, and also matches the traffic when it returns from the destination zone to the source zone. A zone is a group of interfaces that have similar functions or features. A zone pair allows you to specify a unidirectional firewall policy between two security zones that are part of a zone pair.

For the first packet of the traffic, the firewall checks the zone pair that is associated with the ingress and egress interfaces of the packet, and validates the packet before it creates a session for traffic that can be inspected. And when the return traffic comes, the firewall does a session lookup based on the first packet to find an existing session. If the firewall finds a matching session, it allows the traffic to passthrough, and does not check whether the zone associated with the return traffic matches with the zone pair associated with the existing session. Allowing traffic into the network without validating the zone-pair associated with a session can lead to security vulnerabilities.

The Zone Mismatch Handling feature allows you to validate the zone pair that is associated with an existing session and allows traffic that matches the zone pair into the network. When you configure the zone-mismatch drop command, the firewall drops all packets (IPv4 and IPv6) that match an existing session but whose zone pair does not match the zone through which these packets arrive or leave. This feature works along with high availability and In-Service Software Upgrade (ISSU).

When you configure the zone-mismatch drop command under the parameter-map type inspect-global command, the zone mismatch handling configuration applies to the global firewall configuration. Traffic between all zones are inspected for zone-pair mismatch.

You can also configure the zone-mismatch drop command under the parameter-map type inspect command. This allows you to apply the Zone-Mismatch Handling feature on a per-policy basis.

When you configure the zone-mismatch drop command, the configuration is effective only for new sessions. For existing sessions, traffic is not dropped if the sessions do not belong to the same zone-pair.

This section describes some typical scenarios in which the Zone Mismatch Handling feature is deployed:

Traffic Inspection by the Zone-Based Firewall

The following illustration shows traffic inspection by the firewall when the Zone Mismatch Handling feature is enabled.

Zones Z1 and Z2 are part of the same zone pair, which has a parameter map that has the zone-mismatch drop command configured on it. Because zone Z3 is not part of the zone pair, the traffic from Z3 is dropped even if the traffic matches the firewall sessions between interface 1 and interface 2.

If you configure the zone-mismatch drop command for the parameter-map that is associated with the zone pair to which zone Z3 is attached, that configuration will not be effective for sessions established between Z1 and Z2. However, if you configure the zone-mismatch drop command under the parameter-map type inspect-global command, the configuration is effective for traffic between all the zones.