default action (security policy view)

Function

The default action command configures an action for the default security policy.

Format

default action { permit | deny }

Parameters

Parameter	Description	Value
permit	Indicates the action in the default security policy is permit.	-
deny	Indicates the action in the default security policy is deny.	-

Views

Security policy view

Default Level

2: Configuration level

Usage Guidelines

The default action of the default security policy is deny.

By default, this command takes effect only for all the interzone (between different security zones) traffic forwarding, but not for intrazone traffic forwarding. The default action for intrazone traffic is permit. To control intrazone traffic forwarding, configure a suitable security policy. To control intrazone traffic, run the default packet-filter intrazone enable command to enable the default security policy to control intrazone traffic.

If the action of the default security policy is set to permit, all packets are allowed to pass through, which may bring security risks. Therefore, you are advised to retain the default action for the default security policy. That is, prohibit any traffic from passing through.

Example

# Set action permit for default security policy.

<sysname> system-view
[sysname] security-policy
[sysname-policy-security] default action permit
Warning:Setting the default packet filtering to permit poses security risks. 
You are advised to configure the security policy based on the actual data flows. 
Are you sure you want to continue?[Y/N]y

# Set action permit to deny for default security policy.

<sysname> system-view
[sysname] security-policy
[sysname-policy-security] default action deny
Warning: Setting the default interzone packet filtering to deny may affect actual data traffic. 
 You are advised to configure the security policy based on the actual services.
 Are you sure you want to continue? [Y/N]y