https://community.cisco.com/t5/network-security/deny-in-firewall/m-p/2535511#M237642 <P>An explicit deny allows one to generate log messages for the packets that are denied.</P><P>Some organizations use those for analysis and/or blacklisting / shunning of the source IPs.</P><P>The other reason I have seen cited is that it keeps some auditors happier to see the explicit denies. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P> Tue, 10 Jun 2014 02:00:36 GMT Marvin Rhoads 2014-06-10T02:00:36Z https://community.cisco.com/t5/network-security/deny-in-firewall/m-p/2535510#M237638 Why do we write a 'deny' statement in the firewall, when there is always an 'implicit deny' at the end of the access list Tue, 12 Mar 2019 04:18:45 GMT https://community.cisco.com/t5/network-security/deny-in-firewall/m-p/2535510#M237638 grapevine 2019-03-12T04:18:45Z https://community.cisco.com/t5/network-security/deny-in-firewall/m-p/2535511#M237642 <P>An explicit deny allows one to generate log messages for the packets that are denied.</P><P>Some organizations use those for analysis and/or blacklisting / shunning of the source IPs.</P><P>The other reason I have seen cited is that it keeps some auditors happier to see the explicit denies. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P> Tue, 10 Jun 2014 02:00:36 GMT https://community.cisco.com/t5/network-security/deny-in-firewall/m-p/2535511#M237642 Marvin Rhoads 2014-06-10T02:00:36Z https://community.cisco.com/t5/network-security/deny-in-firewall/m-p/2535512#M237646 <P>further adding to marvin's post, we put an explicit deny (on 'outside' interface) in order to customize the logging level and interval of syslog message 106100.</P><P>http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769049</P> Tue, 10 Jun 2014 07:08:46 GMT https://community.cisco.com/t5/network-security/deny-in-firewall/m-p/2535512#M237646 johnlloyd_13 2014-06-10T07:08:46Z