diff --git a/acl/acl.go b/acl/acl.go
index 49dc569b9..a8ad0de96 100644
--- a/acl/acl.go
+++ b/acl/acl.go
@@ -60,9 +60,9 @@ type ACL interface {
 	// EventWrite determines if a specific event may be fired.
 	EventWrite(string) bool
 
-	// IntentionDefault determines the default authorized behavior
+	// IntentionDefaultAllow determines the default authorized behavior
 	// when no intentions match a Connect request.
-	IntentionDefault() bool
+	IntentionDefaultAllow() bool
 
 	// IntentionRead determines if a specific intention can be read.
 	IntentionRead(string) bool
@@ -165,7 +165,7 @@ func (s *StaticACL) EventWrite(string) bool {
 	return s.defaultAllow
 }
 
-func (s *StaticACL) IntentionDefault() bool {
+func (s *StaticACL) IntentionDefaultAllow() bool {
 	return s.defaultAllow
 }
 
@@ -501,11 +501,11 @@ func (p *PolicyACL) EventWrite(name string) bool {
 	return p.parent.EventWrite(name)
 }
 
-// IntentionDefault returns whether the default behavior when there are
+// IntentionDefaultAllow returns whether the default behavior when there are
 // no matching intentions is to allow or deny.
-func (p *PolicyACL) IntentionDefault() bool {
+func (p *PolicyACL) IntentionDefaultAllow() bool {
 	// We always go up, this can't be determined by a policy.
-	return p.parent.IntentionDefault()
+	return p.parent.IntentionDefaultAllow()
 }
 
 // IntentionRead checks if writing (creating, updating, or deleting) of an
diff --git a/acl/acl_test.go b/acl/acl_test.go
index 263af0656..faf6f092f 100644
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@@ -53,7 +53,7 @@ func TestStaticACL(t *testing.T) {
 	if !all.EventWrite("foobar") {
 		t.Fatalf("should allow")
 	}
-	if !all.IntentionDefault() {
+	if !all.IntentionDefaultAllow() {
 		t.Fatalf("should allow")
 	}
 	if !all.IntentionWrite("foobar") {
@@ -129,7 +129,7 @@ func TestStaticACL(t *testing.T) {
 	if none.EventWrite("") {
 		t.Fatalf("should not allow")
 	}
-	if none.IntentionDefault() {
+	if none.IntentionDefaultAllow() {
 		t.Fatalf("should not allow")
 	}
 	if none.IntentionWrite("foo") {
@@ -199,7 +199,7 @@ func TestStaticACL(t *testing.T) {
 	if !manage.EventWrite("foobar") {
 		t.Fatalf("should allow")
 	}
-	if !manage.IntentionDefault() {
+	if !manage.IntentionDefaultAllow() {
 		t.Fatalf("should allow")
 	}
 	if !manage.IntentionWrite("foobar") {
@@ -465,7 +465,7 @@ func TestPolicyACL(t *testing.T) {
 	}
 
 	// Check default intentions bubble up
-	if !acl.IntentionDefault() {
+	if !acl.IntentionDefaultAllow() {
 		t.Fatal("should allow")
 	}
 }
@@ -623,7 +623,7 @@ func TestPolicyACL_Parent(t *testing.T) {
 	}
 
 	// Check default intentions
-	if acl.IntentionDefault() {
+	if acl.IntentionDefaultAllow() {
 		t.Fatal("should not allow")
 	}
 }
diff --git a/agent/agent_endpoint.go b/agent/agent_endpoint.go
index 5a9218c37..20cb047b2 100644
--- a/agent/agent_endpoint.go
+++ b/agent/agent_endpoint.go
@@ -984,7 +984,7 @@ func (s *HTTPServer) AgentConnectAuthorize(resp http.ResponseWriter, req *http.R
 	authz := true
 	reason := "ACLs disabled, access is allowed by default"
 	if rule != nil {
-		authz = rule.IntentionDefault()
+		authz = rule.IntentionDefaultAllow()
 		reason = "Default behavior configured by ACLs"
 	}