Default action in firewall policy maps

Marko asked a very interesting question: What is the default class policy in a firewall policy-map (policy-map type inspect)? Or, using his original wording, "is it mandatory to use class class-default/drop" at the end of every policy map?

As it turns out, the default action for any class (unless you specify otherwise) is drop. By default, packets not matched by any traffic class are therefore dropped (unless you specify a different action in the class-default), similar to well-known ip access-list behavior. I've tested this feature using a reverse setup: web traffic mapped into a class with no action and all other traffic being inspected in the class-default:
class-map type inspect match-all web
match protocol http
!
policy-map type inspect InToOut
class type inspect web
class class-default
inspect
!
zone security Inside
zone security Outside
zone-pair security InToOut source Inside destination Outside
service-policy type inspect InToOut
As expected, HTTP traffic (port 80) was the only traffic blocked by the firewall.

2 comments:

  1. It's interesting that official documentation states the opposite:

    ====
    drop (zone-based policy)

    To drop packets that are sent to the router, use the drop command in policy-map-class configuration mode.
    [...]

    Command Default

    Packets are not dropped.
    ====
  2. Well, the original post was written more than a year ago, IOS might have changed in the meantime :)
Add comment
Sidebar