https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5146173#M1114360 <P>So just logging then in your opinion?</P><P>I can't see any other reason to have specific deny's in above a permit as the implicit deny would kick in.</P> Wed, 17 Jul 2024 17:10:22 GMT Joe Bloggs 2024-07-17T17:10:22Z https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5145387#M1114311 <P>Is there any security benefit by putting in specific deny's for say known bad hosts</P><P>in a firewall rule base when the rule base has an implicit deny all in it?</P><P>&nbsp;</P> Tue, 16 Jul 2024 07:33:22 GMT https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5145387#M1114311 Joe Bloggs 2024-07-16T07:33:22Z https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5145389#M1114313 <P>Just for troubleshooting</P> <P>You can check hit and log when you add deny&nbsp;</P> <P>That it</P> <P>MHM</P> Tue, 16 Jul 2024 07:54:55 GMT https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5145389#M1114313 MHM Cisco World 2024-07-16T07:54:55Z https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5145393#M1114315 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/54971">@Joe Bloggs</a> yes there is. The implicit deny rule will only be hit if there is no more specific rule higher up in the the firewall ruleset that permits the traffic. In some circumstances you may wish to block traffic, for example, you have a firewall rule allowing "any" source to a hosted webserver. So you would add a deny rule from known bad hosts above the allow rule to ensure those bad hosts cannot access the webserver.</P> Tue, 16 Jul 2024 09:09:56 GMT https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5145393#M1114315 Rob Ingram 2024-07-16T09:09:56Z https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5146173#M1114360 <P>So just logging then in your opinion?</P><P>I can't see any other reason to have specific deny's in above a permit as the implicit deny would kick in.</P> Wed, 17 Jul 2024 17:10:22 GMT https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5146173#M1114360 Joe Bloggs 2024-07-17T17:10:22Z https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5146174#M1114361 <P>Above or below?</P> <P>Below permit before implicit deny use for troubleshoot&nbsp;</P> <P>Above permit meanly use to deny specific host from subnet' i.e.</P> <P>We deny host A in subnet 10.0.0.0</P> <P>Then we permit subnet 10.0.0.0</P> <P>MHM</P> Wed, 17 Jul 2024 17:14:54 GMT https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5146174#M1114361 MHM Cisco World 2024-07-17T17:14:54Z https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5146175#M1114362 <P>So i appreciate if you have some overly permissive rule and you wanted to stop one specific host from hitting that rule putting a deny in above makes sense.</P><P>But if you only have specific ip's talking to specific ip's on specific ports is there any point putting an ACE at the top of the rule base dropping/denying traffic from other hosts?</P> Wed, 17 Jul 2024 17:16:38 GMT https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5146175#M1114362 Joe Bloggs 2024-07-17T17:16:38Z https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5146177#M1114363 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/54971">@Joe Bloggs</a> as mentioned, you may need to use it in some circumstances. Each environment and firewall ruleset is different, configure the rules to meet your needs.</P> <P>If you have strict ACE with specific IP addresses/networks communicating, then no, you may not require an explict deny rule above.</P> Wed, 17 Jul 2024 17:30:59 GMT https://community.cisco.com/t5/network-security/explicit-deny-s-on-a-firewall/m-p/5146177#M1114363 Rob Ingram 2024-07-17T17:30:59Z