6.4.2 Zone-Based Firewalls Quiz Answers (2024)

Network Defense Module 6.4.2 Zone-Based Firewalls Quiz Questions Exam Answers

1. Which statement describes a feature of a zone-based policy firewall?

• It does not depend on ACLs.
• All traffic through a given interface is subject to the same inspection.
• It uses a flat, non-hierarchical data structure making it easier to configure and troubleshoot.
• The router security posture is to allow traffic unless explicitly blocked.

Explanation: A zone-based policy firewall (ZPF) does not require the use of complex ACLs. By default, traffic traveling between zones is blocked unless specifically permitted, and different types of traffic can be inspected differently even on the same interface. ZPF uses C3PL for policy configuration, which is hierarchical and allows for easier configuration and troubleshooting.

2. Which statement describes a zone when implementing ZPF on a Cisco router?

• Only one zone can be attached to a single interface.
• A zone establishes a security border of a network.
• A zone is used to define security policies for a unique interface on the router.
• A zone is used to implement traffic filtering for either TCP or UDP.

Explanation: The first step in implementing ZPF is determining the zones. Zones establish the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of the network. The policy between zones can be established to restrict multiple protocol sessions such as TCP, UDP, and ICMP. One design consideration is to identify subsets within zones and merge traffic requirements because multiple zones might be indirectly attached to a single interface of a firewall.

3. Designing a ZPF requires several steps. Which step involves defining boundaries where traffic is subjected to policy restrictions as it crosses to another region of the network?

• design the physical infrastructure
• determine the zones
• identify subsets within zones and merge traffic requirements
• establish policies between zones

4. Which statement describes one of the rules that govern interface behavior in the context of implementing a zone-based policy firewall configuration?

• By default, traffic is allowed to flow between a zone member interface and any interface that is not a zone member.
• By default, traffic is allowed to flow among interfaces that are members of the same zone.
• An administrator can assign an interface to multiple security zones.
• An administrator can assign interfaces to zones, regardless of whether the zone has been configured.

Explanation: An interface can belong to only one zone. Creating a zone is the first step in configuring a zone-based policy firewall. A zone cannot be assigned to an interface if the zone has not been created. Traffic can never flow between an interface that is assigned to a zone and an interface that has not been assigned to a zone.

5. Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic moving between zone member interfaces? (Choose three.)

• An interface can be assigned to multiple security zones.
• Pass, inspect, and drop options can only be applied between two zones.
• If traffic is to flow between all interfaces in a router, each interface must be a member of a zone.
• Traffic is implicitly prevented from flowing by default among interfaces that are members of the same zone.
• To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
• Interfaces can be assigned to a zone before the zone is created.

6. In ZPF design, what is described as the self zone?

• a predefined cluster of servers with configured interfaces
• the router itself, including all interfaces with assigned IP addresses
• a predefined cluster of routers with configured interfaces
• the outward facing interface on the edge router

Explanation: The self zone is the router itself and includes all the IP addresses assigned to the router interfaces.

7. How does ZPF handle traffic between an interface that is a zone member and another interface that does not belong to any zone?

• pass
• inspect
• drop
• allow

Explanation: The rules for a zone based policy firewall to handle transit traffic depend on whether or not the ingress and egress interfaces are members of zones. If one interface is a zone member, but the other is not, then the resulting action is to drop the traffic regardless of whether a zone-pair exists.

8. Which statement describes a factor to be considered when configuring a zone-based policy firewall?

• A zone must be configured with the zone security global command before it can be used in the zone-member security command.
• An interface can belong to multiple zones.
• The router always filters the traffic between interfaces in the same zone.
• The classic firewall ip inspect command can coexist with ZPF as long as it is used on interfaces that are in the same security zones.

Explanation: An interface cannot belong to multiple zones. A firewall never filters traffic between interfaces that have been configured for the same zone. The way that a zone-based policy firewall coexists with a class firewall configuration is that interfaces that are not members of a security zone can still have the classic firewall ip inspect command applied and operational.

9. Which statement accurately describes Cisco IOS zone-based policy firewall operation?

• A router interface can belong to multiple zones.
• Service policies are applied in interface configuration mode.
• The pass action works in only one direction.
• Router management interfaces must be manually assigned to the self zone.

Explanation: The pass action in CCP is similar to the permit parameter in an ACL entry. Pass allows traffic only in one direction.

10. When a Cisco IOS zone-based policy firewall is being configured, which two actions can be applied to a traffic class? (Choose two.)

• forward
• log
• copy
• drop
• hold
• inspect

Explanation: The three actions that can be applied are inspect, drop,and pass. The inspect CCP action is similar to the classic firewall ip inspect command in that it inspects traffic going through the firewall and allowing return traffic that is part of the same flow to pass through the firewall. The drop action is similar to the deny parameter in an ACL. This action drops whatever traffic fits the defined policy. The pass action is similar to a permit ACL statement–traffic is allowed to pass through because it met the criteria of the defined policy statement.

11. In what step of zone-based policy firewall configuration is traffic identified for policy application?

• creating policy maps
• configuring class maps
• defining zones
• assigning policy maps to zones

Explanation: During the class maps configuration stage, interesting traffic is identified for later policy application.

12. When configuring a class map for a zone-based policy firewall, how is the match criteria applied when using the match-all parameter?

• Traffic must match at least one of the match criteria statements.
• Traffic must match all of the criteria solely defined by ACLs.
• Traffic must match the first criteria in the statement.
• Traffic must match all of the match criteria specified in the statement.

Explanation: In the Identifying traffic step of a ZPF configuration, the syntax for the class-map type inspect command has two parameters, match-any and match-all. The match-all parameter dictates that packets must meet all the match criteria to be considered a member of the class.