diff --git a/conf/globalConfig/securityGroupManager.xml b/conf/globalConfig/securityGroupManager.xml
index 254e6951ad1..3fcd062d08a 100755
--- a/conf/globalConfig/securityGroupManager.xml
+++ b/conf/globalConfig/securityGroupManager.xml
@@ -28,7 +28,7 @@
     <config>
         <name>ingress.defaultPolicy</name>
         <description>Default policy for ingress traffic when security group is empty</description>
-        <defaultValue>deny</defaultValue>
+        <defaultValue>drop</defaultValue>
         <category>securityGroup</category>
     </config>
 
diff --git a/plugin/securityGroup/src/main/java/org/zstack/network/securitygroup/SecurityGroupGlobalConfig.java b/plugin/securityGroup/src/main/java/org/zstack/network/securitygroup/SecurityGroupGlobalConfig.java
index 6da13c5582b..59d94aae00b 100755
--- a/plugin/securityGroup/src/main/java/org/zstack/network/securitygroup/SecurityGroupGlobalConfig.java
+++ b/plugin/securityGroup/src/main/java/org/zstack/network/securitygroup/SecurityGroupGlobalConfig.java
@@ -16,7 +16,7 @@ public class SecurityGroupGlobalConfig {
     public static GlobalConfig FAILURE_HOST_EACH_TIME_TO_TAKE = new GlobalConfig(CATEGORY, "host.failureResolvePerTime");
     @GlobalConfigValidation(numberGreaterThan = -1)
     public static GlobalConfig DELAY_REFRESH_INTERVAL = new GlobalConfig(CATEGORY, "refresh.delayInterval");
-    @GlobalConfigValidation(validValues = {"accept", "deny"})
+    @GlobalConfigValidation(validValues = {"accept", "deny", "drop"})
     public static GlobalConfig INGRESS_RULE_DEFAULT_POLICY = new GlobalConfig(CATEGORY, "ingress.defaultPolicy");
     @GlobalConfigValidation(validValues = {"accept", "deny"})
     public static GlobalConfig EGRESS_RULE_DEFAULT_POLICY = new GlobalConfig(CATEGORY, "egress.defaultPolicy");