A Quote form above document.
"Configuring Zone-Based Policy Firewall Policy-Maps
The policy-map applies firewall policy actions to one or more class-maps to define the service-policy that will be applied to a security zone-pair. When an inspect-type policy-map is created, a default class named class class-default is applied at the end of the class. The class class-default’s default policy action is drop, but can be changed to pass.
The log option can be added with the drop action. Inspect cannot be applied on class class-default."
Router(config)#policy-map type inspect InsideToOutside
Router(config-pmap)#class class-default ?
Policy-map class configuration commands:
drop Drop the packet
exit Exit from class action configuration mode
inspect Context-based Access Control Engine
no Negate or set default values of a command
pass Pass the packet
service-policy Deep Packet Inspection Engine
urlfilter URL Filtering Engine
%No specific protocol configured in class class-default for inspection. All protocols will be inspected
Router(config-pmap-c)#do show run | s i policy-map
policy-map type inspect InsideToOutside
Maybe someone can explain.
The class-default class map is system defined. It represents all packets that do not match any of the user defined. We can define explicit actions for this class. And if we DON'T configure any actions, the default one is drop.
Actions that can be done within the class-default have been changing since the first release of the Zone-Based Policy Firewall feature, so, maybe you are looking some obsolete or older version document.
If you need to implement some feature and it does not work as expected, look for the documentation on the same version than the IOS you're actually running.