https://community.cisco.com/t5/secure-access-discussions/secure-access-acl-best-practice/m-p/5372652#M160 <DIV class="">&nbsp;</DIV><DIV class=""><DIV class=""><DIV class=""><P>We are currently migrating from an on-prem FTD environment, where all traffic is backhauled through our data centers, to a more modern cloud-based security model using Cisco Secure Access. As part of this transition, we are leveraging the ZTA module to tunnel most non-excluded internet traffic to a Cisco data center. While ZTA is traditionally associated with private application access, this design was recommended directly by Cisco for our use case.</P><P>Our current ACL structure is based on Active Directory group membership, aligning access policies with a user’s specific role or “web level.” Each web level includes:</P><UL><LI><P>An<SPAN>&nbsp;</SPAN><STRONG>Allow rule</STRONG><SPAN>&nbsp;</SPAN>for granular application/site access</P></LI><LI><P>A<SPAN>&nbsp;</SPAN><STRONG>Block rule</STRONG><SPAN>&nbsp;</SPAN>that enforces content category restrictions and general security controls via the associated security profile</P></LI></UL><P>The challenge we are encountering is related to unidentified users. Because the default action for internet-bound traffic is “Allow,” users who are not properly mapped to an AD group fall through to the implicit allow rule. To mitigate this, we have temporarily implemented a “Deny All” rule at the bottom of the ACL, but we recognize this is not considered best practice.</P><P>What would be the recommended approach for handling unidentified users and structuring ACL logic in a modern Secure Access deployment? Specifically, how can we ensure unidentified users are appropriately restricted without relying on a blanket deny-all rule at the bottom?</P><P>Any guidance on best practices for modern ACL design in this scenario would be greatly appreciated.</P></DIV></DIV></DIV> Wed, 25 Feb 2026 14:34:41 GMT jaismith 2026-02-25T14:34:41Z https://community.cisco.com/t5/secure-access-discussions/secure-access-acl-best-practice/m-p/5372652#M160 <DIV class="">&nbsp;</DIV><DIV class=""><DIV class=""><DIV class=""><P>We are currently migrating from an on-prem FTD environment, where all traffic is backhauled through our data centers, to a more modern cloud-based security model using Cisco Secure Access. As part of this transition, we are leveraging the ZTA module to tunnel most non-excluded internet traffic to a Cisco data center. While ZTA is traditionally associated with private application access, this design was recommended directly by Cisco for our use case.</P><P>Our current ACL structure is based on Active Directory group membership, aligning access policies with a user’s specific role or “web level.” Each web level includes:</P><UL><LI><P>An<SPAN>&nbsp;</SPAN><STRONG>Allow rule</STRONG><SPAN>&nbsp;</SPAN>for granular application/site access</P></LI><LI><P>A<SPAN>&nbsp;</SPAN><STRONG>Block rule</STRONG><SPAN>&nbsp;</SPAN>that enforces content category restrictions and general security controls via the associated security profile</P></LI></UL><P>The challenge we are encountering is related to unidentified users. Because the default action for internet-bound traffic is “Allow,” users who are not properly mapped to an AD group fall through to the implicit allow rule. To mitigate this, we have temporarily implemented a “Deny All” rule at the bottom of the ACL, but we recognize this is not considered best practice.</P><P>What would be the recommended approach for handling unidentified users and structuring ACL logic in a modern Secure Access deployment? Specifically, how can we ensure unidentified users are appropriately restricted without relying on a blanket deny-all rule at the bottom?</P><P>Any guidance on best practices for modern ACL design in this scenario would be greatly appreciated.</P></DIV></DIV></DIV> Wed, 25 Feb 2026 14:34:41 GMT https://community.cisco.com/t5/secure-access-discussions/secure-access-acl-best-practice/m-p/5372652#M160 jaismith 2026-02-25T14:34:41Z