https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241488#M1118475 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/655758">@Ditter</a> yes, as you have more a specific rule (as above) from inside to any that matches the traffic, then nothing should hit the default rule, unless there are other zones you do not have specific rules for. Traffic will still be discovered by matching your allow rule (from inside to any), it does not need to hit the default action rule - "network discovery only".</P> <P>Most environments would set the default action to be Default Access Control—Blocks all traffic without further inspection - this means you don't need an explict deny rule. A default action of Network discovery only, might be used for an internal firewall, during initial discovery phase before implementing traffic filtering.</P> Sat, 28 Dec 2024 12:49:43 GMT Rob Ingram 2024-12-28T12:49:43Z https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241479#M1118472 <P>Hi to everybody,</P><P>It is not so clear to me what the discovery default action does.&nbsp;</P><P>I am asking this because my last rule is <STRONG>deny from outside to inside</STRONG>. Therefore i suppose that the FTD does not pass to the default action that is below the all deny rule which is the <STRONG>default action network discovery only.</STRONG></P><P>Please see the attached pic.</P><P>I suppose i am missing something here,</P><P>Any explanation is welcome.</P><P>Thanks&nbsp;</P><P>Ditter.</P> Sat, 28 Dec 2024 12:00:28 GMT https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241479#M1118472 Ditter 2024-12-28T12:00:28Z https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241483#M1118473 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/655758">@Ditter</a> the default action is applicable if the traffic does not match an explict rule in the ruleset.</P> <P>In your scenario,traffic from outside to inside would match your explict rule and be denied. But traffic from <U>inside</U> to <U>outside</U> that did not match a specific rule, would match the default action and traffic would be allowed, while inspecting it for discovery data but not intrusions or exploits. The more traffic that passes, the more information the FTD can learn about the hosts in your network, to build a host profile.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/access-policies.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/access-policies.html</A></P> <P>&nbsp;</P> Sat, 28 Dec 2024 12:14:49 GMT https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241483#M1118473 Rob Ingram 2024-12-28T12:14:49Z https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241487#M1118474 <P>Thanks Rob but there is also a rule for traffic from inside going to outside. See the attached pic.</P><P>So in my case no traffic should reach the default discovery action.&nbsp; Correct ?</P><P>However i have discovered hosts. I can not understand this.</P><P>Thanks,</P><P>Ditter</P> Sat, 28 Dec 2024 12:41:20 GMT https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241487#M1118474 Ditter 2024-12-28T12:41:20Z https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241488#M1118475 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/655758">@Ditter</a> yes, as you have more a specific rule (as above) from inside to any that matches the traffic, then nothing should hit the default rule, unless there are other zones you do not have specific rules for. Traffic will still be discovered by matching your allow rule (from inside to any), it does not need to hit the default action rule - "network discovery only".</P> <P>Most environments would set the default action to be Default Access Control—Blocks all traffic without further inspection - this means you don't need an explict deny rule. A default action of Network discovery only, might be used for an internal firewall, during initial discovery phase before implementing traffic filtering.</P> Sat, 28 Dec 2024 12:49:43 GMT https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241488#M1118475 Rob Ingram 2024-12-28T12:49:43Z https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241489#M1118476 <P>Thanks for the explanation, now it is clear to me.</P> Sat, 28 Dec 2024 12:53:20 GMT https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241489#M1118476 Ditter 2024-12-28T12:53:20Z https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241490#M1118477 <P>I will check this point and update you</P> <P>MHM</P> Sat, 28 Dec 2024 13:03:29 GMT https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241490#M1118477 MHM Cisco World 2024-12-28T13:03:29Z https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241495#M1118478 <P>default action with Net Discover is <STRONG>ALLOW</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (230).png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/236661i58F671265120103B/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot (230).png" alt="Screenshot (230).png" /></span></P> Sat, 28 Dec 2024 13:04:41 GMT https://community.cisco.com/t5/network-security/default-action-to-ftd/m-p/5241495#M1118478 MHM Cisco World 2024-12-28T13:04:41Z