When is "Deny all" policy an exception in Zone Based Firewall

When is "Deny all" policy an exception in Zone Based Firewall
A. traffic traverses 2 interfaces in same zone
B. traffic sources from router via self zone
C. traffic terminates on router via self zone
D. traffic traverses 2 interfaces in different zones
E. traffic terminates on router via self zone

cisco-exams

4 thoughts on “When is "Deny all" policy an exception in Zone Based Firewall

  1. traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.

  2. I think the options on this questions are twisted. The problem is with answer A is that if you create a policy to prevent X to reach Z (both in the same zone) and don’t create a permit any any, it WILL reach the implicit deny. Now consider this paper from Cisco where it says:

    The Self zone is the only exception to the default
    “deny all” policy. All traffic to any router interface is allowed until explicitly denied.

    Page 18.3:
    https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/fwzbf.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.