Module 16 - Zone-based policy firewalls

Question 1

Which firewall model applies policy directly to interfaces using traditional configuration?

Answer 1

A classic firewall

Question 2

Which firewall model assigns interfaces to security zones and applies policies between zones?

Answer 2

ZPF (Zone based policy firewall)

Question 3

What is the first step in designing a ZPF?

Answer 3

Determine the zones

Question 4

What is the third step in ZPF design?

Answer 4

Design physical infrastructure

Question 4

Can Classic Firewall and ZPF be enabled simultaneously on the same router?

Answer 4

Yes but on different interfaces

Question 4

Which benefit of ZPF supports scalability and easier troubleshooting?

Answer 4

Use of C3PL (Cisco Common Classification Policy Language)

Question 5

What defines a boundary where traffic is restricted based on policies in ZPF?

Answer 5

A zone

Question 5

What is the default security posture of a ZPF?

Answer 5

Block unless explicitly permitted

Question 6

What is the second step in the ZPF design process?

Answer 6

Establish policies between zones

Question 6

In ZPF, how are policies applied between zones?

Answer 6

Unidirectional (From source zone to destination zone)

Question 7

What is the fourth step in ZPF design?

Answer 7

Identify subsets within zones and merge traffic requirements

Question 7

In ZPF, what term describes defined policies from one zone to another?

Answer 7

Zone pairs

Question 8

Which ZPF action uses Cisco IOS stateful packet inspection?

Answer 8

Inspect

Question 9

Which ZPF action drops traffic and offers an option to log rejected packets?

Answer 9

Drop

Question 9

Which ZPF action allows traffic without tracking session state?

Answer 9

Pass

Question 9

What is required for ZPF to perform actions like inspect or drop between zones?

Answer 9

A zone pair with a defined policy

Question 10

What happens when traffic enters and exits interfaces that are not zone members?

Answer 10

It is passed (no zone= no policy)

Question 11

What is the result when traffic flows between interfaces in the same zone?

Answer 11

It is passed

Question 12

What happens when traffic moves between a zone member interface and a non-zone member interface?

Answer 12

It is dropped

Question 12

What happens if both interfaces are in different zones but no zone pair exists?

Answer 12

It is dropped

Question 13

What is the default action when a zone pair exists but no policy is configured?

Answer 13

It is passed

Question 13

What must exist for the ZPF to inspect traffic between zones?

Answer 13

A zone pair and an inspect policy

Question 13

What action occurs when a zone pair and an inspect policy exist?

Answer 13

It is inspected

Question 14

What is enforced when one interface is a zone member and the other is not?

Answer 14

Traffic is dropped

Question 14

What does ZPF do by default if no zones are applied to interfaces?

Answer 14

Passes traffic

Question 14

What is the result when a private-to-public zone pair exists but no policy is defined?

Answer 14

Traffic is passed

Question 15

What happens when traffic flows from a private to a public zone without a zone pair?

Answer 15

Traffic is dropped

Question 16

Which special ZPF zone includes all IP addresses assigned to router interfaces?

Answer 16

Self zone

Question 16

What is the default action for traffic when the router is the source or destination and no zone-pair exists?

Answer 16

Pass

Question 16

What kind of traffic is considered part of the self zone?

Answer 16

Traffic originating from the router or is addressed to the router itself

Question 17

What happens to traffic from the self zone to another zone when a zone-pair exists but no policy is configured?

Answer 17

Traffic is passed

Question 17

When is traffic to or from the self zone subject to a policy inspection?

Answer 17

If there is a zone pair and a policy

Question 18

What is the result when traffic flows from the self zone to another zone and a policy exists?

Answer 18

Traffic is inspected

Question 19

In the absence of any policy or zone-pair, how is traffic between the router and any other zone handled?

Answer 19

It is passed

Question 20

What happens to traffic sent from another zone to the self zone when no zone-pair exists?

Answer 20

It is passed

Question 21

What is my personal rule concerning dropping and passing data in ZPF transit traffic?

Answer 21

For traffic in transit, source and destination need to both not be part of a zone, or both part of a zone with a zone pair for data to be permitted. The rest is denied

Question 22

What command is used to create a security zone in ZPF?

Answer 22

zone security (zone name)

Question 23

What ZPF configuration component identifies traffic based on match criteria for later policy assignment?

Answer 23

A class map