Module 6 Creating and Managing Security Policy Rules

Question 1

What are the predefined security policy rules

Answer 1

Intrazone traffic and interzone traffic

Question 2

What is the diff between interzone and intrazone traffic.

Answer 2

No traffic by default allowed between zones (interzone), but traffic allow to move freely within a zone (intrazone)

Question 3

If you want to modify an existing predefine rule, what do you need to select and click?

Answer 3

Override button.

Question 4

What are the three policy rule types?

Answer 4

Universal, intrazone, and interzone (traffic goes freely between zones, but not within its own zone**).

Question 5

By default, is traffic allowed between zones?

Answer 5

By default, firewall IMPLICITLY allows intrazone (traffic within a zone), but not between zones (interzone).

Question 6

By default, do predefined security policy rules log traffic?

Answer 6

No, they do not.

Question 7

What happens if you place an explicit deny all rule in front of the two predefined implicit rules?

Answer 7

It will deny intrazone traffic! This is no good

Question 8

Are rules evaluated top to bottom?

Answer 8

Yes they are, once it finds a match, further rules are not evaluated.

Question 9

Are policy rules unidirectional?

Answer 9

Yes, it goes one way. Policy rules allow traffic that is initiated in the direction that the security policy rules specifies: source zone to destination zone. It also allows the replies back.

Question 10

What is rule shadowing?

Answer 10

Traffic can match multiple rules, this sheds light on this fact.

Question 11

What is the rule changes archive?

Answer 11

To meet regulatory compliance, you can track all audit comments in the audit comment archive under General Tab when constructing a policy rule.

Question 12

BLDG a policy rule - under Source Tab, there are 5 categories for source user.

Answer 12

Any, pre-logon, known-user, unknown, select

Question 13

What is a known user?

Answer 13

All authenticated users, any IP address with a username mapped by User-ID

Question 14

What is an unknown user?

Answer 14

All unauthenticated users, IP addresses not mapped to a user by User-ID.

Question 15

What is a pre-logon?

Answer 15

Remote users connected to network using GlobalProtect, but are not logged into their system.

Question 16

What is any?>

Answer 16

Any type of use

Question 17

What is select?

Answer 17

Select users or groups that have been added using the Add link.

Question 18

What is the default for the destination and source Zone?

Answer 18

Any

Question 19

Can the commit function determine if there are app dependencies?

Answer 19

Yes it can, unresolved dependencies are reported.

Question 20

Action tab is second to last tab - so, there are 6 action tabs, what are they?

Answer 20

Allow, deny, drop, reset client, reset server, reset both client and server

Question 21

What is the allow tab?

Answer 21

Default

Question 22

What is the deny tab?

Answer 22

Blocks traffic

Question 23

What is the drop tab?

Answer 23

Silently drops the traffic. TCP reset not sent to client or server.

Question 24

What is the reset both client and server?

Answer 24

Sends TCP reset to both client and server.

Question 25

What is the reset server tab?

Answer 25

Sends TCP reset to the server.

Question 26

What is the reset client tab?

Answer 26

Sends TCP reset to the client?

Question 27

What is an add object?

Answer 27

Name-value pair that can represent a single IP address, a range of IP addresses, an IP subnet or the FQDN.

Question 28

If you create a static Address Group, will that require a commit?

Answer 28

Yes

Question 29

What is a dynamic address group?

Answer 29

Tagged IP addresses automatically added to group. NO COMMIT necessary. TAG the group, firewall auto-tagging or external software.