Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
2
Replies

Deny in firewall

ranjipremandrewp
Level 1
Level 1

‎06-09-2014 05:40 PM - edited ‎03-11-2019 09:18 PM

Why do we write a 'deny' statement in the firewall, when there is always an 'implicit deny' at the end of the access list
Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-09-2014 07:00 PM

An explicit deny allows one to generate log messages for the packets that are denied.

Some organizations use those for analysis and/or blacklisting / shunning of the source IPs.

The other reason I have seen cited is that it keeps some auditors happier to see the explicit denies. :)

 

0 Helpful

johnlloyd_13
Level 9
Level 9

‎06-10-2014 12:08 AM

further adding to marvin's post, we put an explicit deny (on 'outside' interface) in order to customize the logging level and interval of syslog message 106100.

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769049

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card