Difficulty: Hard

Average Score: 0%

While troubleshooting a firewall configuration a technician determines that a “deny any” policy should be added to the bottom of the ACL. The technician updates the policy but the new policy causes several company servers to become unreachable.

Which of the following actions would prevent this issue?

Rationale

Testing the policy in a non-production environment before deploying it to production would prevent this issue.

A “deny any” rule blocks all traffic that is not explicitly permitted by earlier access control list (ACL) entries. If incorrectly configured, it can unintentionally block legitimate network traffic and make critical systems unreachable. Testing firewall changes in a non-production or staging environment allows technicians to identify and correct problems before the changes affect live systems and users.

A (Documenting the new policy in a change request and submitting the request to change management) YOUR ANSWER

Change management documentation is an important administrative and auditing practice, but it does not by itself prevent configuration errors or service outages. The issue occurred because the rule was implemented without adequate validation.

B (Testing the policy in a non-production environment before enabling the policy in the production network) CORRECT

Testing the ACL in a non-production environment allows administrators to verify that legitimate traffic is still permitted while unauthorized traffic is blocked. This helps identify unintended consequences before deployment and reduces the risk of downtime or loss of connectivity in the production environment.

C (Disabling any intrusion prevention signatures on the “deny any” policy prior to enabling the new policy) YOUR ANSWER

Intrusion prevention signatures are unrelated to the core issue. The outage was caused by ACL behavior, not by intrusion prevention functionality. Disabling security signatures would not prevent legitimate traffic from being blocked.

D (Including an “allow any” policy above the “deny any” policy) YOUR ANSWER

Placing an “allow any” rule above a “deny any” rule would effectively permit all traffic and make the deny rule useless. This would significantly weaken network security and is not considered a best practice.

Conclusion

Firewall and ACL changes should always be tested in a controlled, non-production environment before deployment. Proper testing helps ensure that security policies function as intended without disrupting legitimate network services or causing unexpected outages.

Related Questions

View all