Hello!
Q1: For the control of user access rights (including Telnet, STelnet, FTP, SFTP, HTTP, SNMP), outer Policy, Filter Policy, igmp-snooping ssm-policy, the default ACL action is denied.
For the other service modules, the default ACL action is permit.
Q2: Correct.
Q3: Because these ACL rules are matched in the chip engine, the statistics with the command 'display acl' is 0. When we want to know the statistics, we can configure a traffic policy to run the statistics and then use the command 'display acl hardware statistics' to get this matched statistics value.
Glad to help you! Any further questions, let us know.