Marko asked a very interesting question: What is the default class policy in a firewall policy-map (policy-map type inspect)? Or, using his original wording, "is it mandatory to use class class-default/drop" at the end of every policy map?
As it turns out, the default action for any class (unless you specify otherwise) is drop. By default, packets not matched by any traffic class are therefore dropped (unless you specify a different action in the class-default), similar to well-known ip access-list behavior.I've tested this feature using a reverse setup: web traffic mapped into a class with no action and all other traffic being inspected in the class-default:
class-map type inspect match-all webAs expected, HTTP traffic (port 80) was the only traffic blocked by the firewall.
match protocol http
policy-map type inspect InToOut
class type inspect web
zone security Inside
zone security Outside
zone-pair security InToOut source Inside destination Outside
service-policy type inspect InToOut