Information
Ensures that each access-list has an explicit deny statement
Rationale:
Configuring an explicit deny entry, with log option, at the end of access control lists enables monitoring and troubleshooting traffic flows that have been denied. Logging these events can provide an effective record to troubleshoot issues and attacks.
NOTE: This check requires manual review. Please review the results to ensure access-group entries has a corresponding access-list deny entry.
Solution
* Step 1: Acquire the name <access-list_name> of the access-list that is not compliant from the audit procedure
* Step 2: Run the following to configure the explicit deny.
HOSTNAME(CONFIG)#_<access-list_name>_ EXTENDED DENY IP ANY ANY LOG
The statement will be placed at the end of the access-list