Solved: Default action to FTD

Ditter · ‎12-28-2024

Hi to everybody,

It is not so clear to me what the discovery default action does.

I am asking this because my last rule is deny from outside to inside. Therefore i suppose that the FTD does not pass to the default action that is below the all deny rule which is the default action network discovery only.

Please see the attached pic.

I suppose i am missing something here,

Any explanation is welcome.

Thanks

Ditter.

Rob Ingram · ‎12-28-2024

@Ditter yes, as you have more a specific rule (as above) from inside to any that matches the traffic, then nothing should hit the default rule, unless there are other zones you do not have specific rules for. Traffic will still be discovered by matching your allow rule (from inside to any), it does not need to hit the default action rule - "network discovery only".

Most environments would set the default action to be Default Access Control—Blocks all traffic without further inspection - this means you don't need an explict deny rule. A default action of Network discovery only, might be used for an internal firewall, during initial discovery phase before implementing traffic filtering.

View solution in original post

Rob Ingram · ‎12-28-2024

@Ditter the default action is applicable if the traffic does not match an explict rule in the ruleset.

In your scenario,traffic from outside to inside would match your explict rule and be denied. But traffic from inside to outside that did not match a specific rule, would match the default action and traffic would be allowed, while inspecting it for discovery data but not intrusions or exploits. The more traffic that passes, the more information the FTD can learn about the hosts in your network, to build a host profile.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/access-policies.html

Ditter · ‎12-28-2024

Thanks Rob but there is also a rule for traffic from inside going to outside. See the attached pic.

So in my case no traffic should reach the default discovery action. Correct ?

However i have discovered hosts. I can not understand this.

Thanks,

Ditter

Rob Ingram · ‎12-28-2024

@Ditter yes, as you have more a specific rule (as above) from inside to any that matches the traffic, then nothing should hit the default rule, unless there are other zones you do not have specific rules for. Traffic will still be discovered by matching your allow rule (from inside to any), it does not need to hit the default action rule - "network discovery only".

Most environments would set the default action to be Default Access Control—Blocks all traffic without further inspection - this means you don't need an explict deny rule. A default action of Network discovery only, might be used for an internal firewall, during initial discovery phase before implementing traffic filtering.

Ditter · ‎12-28-2024

Thanks for the explanation, now it is clear to me.

MHM Cisco World · ‎12-28-2024

I will check this point and update you

MHM

MHM Cisco World · ‎12-28-2024

default action with Net Discover is ALLOW