What if ASA filtering/ACLs fail?

CiscoPurpleBelt · ‎10-02-2019

If filtering were to stop working for whatever reason, will the ASA fail to a secure state? How can I verify this?

Rob Ingram · ‎10-02-2019

Hi,
If there is no explict ACE (deny or permit) at the bottom of the rule set, then there would be an implicit deny. So on that basis if no rule at the top were matched for whatever reason, then the implicit rule should be matched and all traffic denied.

HTH

CiscoPurpleBelt · ‎10-07-2019

Yes but what if ACLs are not working all together? I know if a module is involved you can do "Fail to secure" or something like that unless I am mistaken. My device does not have a module.

Karsten Iwen · ‎10-02-2019

If a device fails, then it often could fail to anything.

If you assume the whole box fails, then it fails close. But your question implies a software-failure. Here it also could fail to open. But IMO at least this kind of bug did not show up in the last 20 years for this platform.

CiscoPurpleBelt · ‎10-07-2019

Basically what if just filtering and/or ACLs fail. Is there anything to confirm it would fail to close/secure?

Karsten Iwen · ‎10-07-2019

Probably only Cisco could find out what will happen in this case. If it is just the ACL operation that fails I would assume that it fails to the security levels. And that could either be close or open.