Module 6 Creating and Managing Security Policy Rules Flashcards
What are the predefined security policy rules
Intrazone traffic and interzone traffic
What is the diff between interzone and intrazone traffic.
No traffic by default allowed between zones (interzone), but traffic allow to move freely within a zone (intrazone)
If you want to modify an existing predefine rule, what do you need to select and click?
Override button.
What are the three policy rule types?
Universal, intrazone, and interzone (traffic goes freely between zones, but not within its own zone**).
By default, is traffic allowed between zones?
By default, firewall IMPLICITLY allows intrazone (traffic within a zone), but not between zones (interzone).
By default, do predefined security policy rules log traffic?
No, they do not.
What happens if you place an explicit deny all rule in front of the two predefined implicit rules?
It will deny intrazone traffic! This is no good
Are rules evaluated top to bottom?
Yes they are, once it finds a match, further rules are not evaluated.
Are policy rules unidirectional?
Yes, it goes one way. Policy rules allow traffic that is initiated in the direction that the security policy rules specifies: source zone to destination zone. It also allows the replies back.
What is rule shadowing?
Traffic can match multiple rules, this sheds light on this fact.
What is the rule changes archive?
To meet regulatory compliance, you can track all audit comments in the audit comment archive under General Tab when constructing a policy rule.
BLDG a policy rule - under Source Tab, there are 5 categories for source user.
Any, pre-logon, known-user, unknown, select
What is a known user?
All authenticated users, any IP address with a username mapped by User-ID
What is an unknown user?
All unauthenticated users, IP addresses not mapped to a user by User-ID.
What is a pre-logon?
Remote users connected to network using GlobalProtect, but are not logged into their system.
What is any?>
Any type of use
What is select?
Select users or groups that have been added using the Add link.
What is the default for the destination and source Zone?
Any
Can the commit function determine if there are app dependencies?
Yes it can, unresolved dependencies are reported.
Action tab is second to last tab - so, there are 6 action tabs, what are they?
Allow, deny, drop, reset client, reset server, reset both client and server
What is the allow tab?
Default
What is the deny tab?
Blocks traffic
What is the drop tab?
Silently drops the traffic. TCP reset not sent to client or server.
What is the reset both client and server?
Sends TCP reset to both client and server.
What is the reset server tab?
Sends TCP reset to the server.
What is the reset client tab?
Sends TCP reset to the client?
What is an add object?
Name-value pair that can represent a single IP address, a range of IP addresses, an IP subnet or the FQDN.
If you create a static Address Group, will that require a commit?
Yes
What is a dynamic address group?
Tagged IP addresses automatically added to group. NO COMMIT necessary. TAG the group, firewall auto-tagging or external software.
