| When configured with the "PASS" action, stateful inspection is applied to all traffic passing between the configured zones. | |
| Interface ACLs are applied before zone-based policy firewalls when they are applied outbound. | |
| Policies are applied to traffic moving between zones, not between interfaces. | |
| The firewalls can be configured simultaneously on the same interface as classic CBAC using the ip inspect CLI command. |
| The Cisco IOS image file is not visible in the output from the show flash command. | |
| The running Cisco IOS image is encrypted and then automatically backed up to the NVRAM. | |
| The show version command does not show the Cisco IOS image file location. | |
| When the router boots up, the Cisco IOS image is loaded from a secured FTP location. | |
| The running Cisco IOS image is encrypted and then automatically backed up to a TFTP server. |
| They are best used for one-time encryption needs. | |
| They are often used for wire-speed encryption in data networks. | |
| They are based on complex mathematical operations and can easily be accelerated by hardware. | |
| They offer simple key management properties. |