cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


280
Views
5
Helpful
5
Replies
Highlighted
Contributor

What if ASA filtering/ACLs fail?

If filtering were to stop working for whatever reason, will the ASA fail to a secure state? How can I verify this?

5 REPLIES 5
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: What if ASA filtering/ACLs fail?

Hi,
If there is no explict ACE (deny or permit) at the bottom of the rule set, then there would be an implicit deny. So on that basis if no rule at the top were matched for whatever reason, then the implicit rule should be matched and all traffic denied.

HTH
Contributor

Re: What if ASA filtering/ACLs fail?

Yes but what if ACLs are not working all together? I know if a module is involved you can do "Fail to secure" or something like that unless I am mistaken. My device does not have a module.
VIP Mentor

Re: What if ASA filtering/ACLs fail?

If a device fails, then it often  could fail to anything.

If you assume the whole box fails, then it fails close. But your question implies a software-failure. Here it also could fail to open. But IMO at least this kind of bug did not show up in the last 20 years for this platform.

Contributor

Re: What if ASA filtering/ACLs fail?

Basically what if just filtering and/or ACLs fail. Is there anything to confirm it would fail to close/secure?
VIP Mentor

Re: What if ASA filtering/ACLs fail?

Probably only Cisco could find out what will happen in this case. If it is just the ACL operation that fails I would assume that it fails to the security levels. And that could either be close or open.