By default, the firewall denies traffic between data
center zones (interzone traffic) that matches no Security policy
allow rule. Log and examine this traffic to identify attempted attacks
and also traffic you may want to allow.
Traffic that doesn’t match any of the Security
policy rules you configure matches the predefined interzone-default
rule at the bottom of the rulebase and is denied. To gain visibility
into traffic that doesn’t match a rule you explicitly configured,
enable logging on the interzone-default rule. Logging this traffic
gives you the opportunity to examine access attempts that you have
not explicitly allowed, which may identify attack attempts or traffic
for which you want to modify an allow rule.