Cisco - Zone Policy Actions (pass, inspect, drop, log) - What is the difference?

Have these commands for instance:

policy-map type inspect IN-OUT_PlcyMAP
 class type inspect IN-OUT_ClassMAP
  inspect   <------

policy-map type inspect IN-OUT_PlcyMap
 class type inspect IN-OUT_ClassMAP
  pass     <------


zone security INSIDE
zone security OUTSIDE
zone-pair security IN->OUT source INSIDE destination OUTSIDE
 service-policy type inspect IN-OUT_PlcyMAP

What is the difference between "inspect", "pass", "drop", "log", and "reset ?

I could not found any information on this on Google.

Solution 1:

Is Inspect means this policy inspect as well ? my doubt?

Inspect: When the action is set to Inspect, the Enterprise Firewall with Application Aware policy tracks the state of the flows and creates sessions. Since it maintains the state of the flows, the return traffic is allowed and there is no need to configure a separate policy for return traffic.

• Pass: This action allows the router to forward the traffic from one zone to another zone. The pass action does not track the state of the flows, that is, the Firewall does not create sessions when the action is set to Pass. Pass action allows the traffic flow in only one direction.

• Drop: When the action is set to drop and packets match against the set match parameters. That packet will be dropped.

Solution 2:

pass - allow traffic to pass through

inspect - filter traffic based on policy rules you provide (eg no HTTP to piratesrus.com)

drop - block all traffic that matches from passing through

log - make a note that this traffic was detected in local system log (helpful for debugging)

reset - block this traffic and send a TCP RST packet to remote end (should terminate TCP stream)