Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny in firewall

Why do we write a 'deny' statement in the firewall, when there is always an 'implicit deny' at the end of the access list
Everyone's tags (1)
2 REPLIES
Hall of Fame Super Silver

An explicit deny allows one

An explicit deny allows one to generate log messages for the packets that are denied.

Some organizations use those for analysis and/or blacklisting / shunning of the source IPs.

The other reason I have seen cited is that it keeps some auditors happier to see the explicit denies. :)

 

further adding to marvin's

further adding to marvin's post, we put an explicit deny (on 'outside' interface) in order to customize the logging level and interval of syslog message 106100.

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769049

58
Views
0
Helpful
2
Replies
CreatePlease login to create content