Professional Cloud Network Engineer Exam QuestionsBrowse all questions from this exam

Professional Cloud Network Engineer Exam - Question 66

You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.

What should you do?

Enable logging on the default Deny Any Firewall Rule.

Enable logging on the VM Instances that receive traffic.

Create a logging sink forwarding all firewall logs with no filters.

Create an explicit Deny Any rule and enable logging on the new rule.

Show Answer

Correct Answer: BD

To resolve the issue of not seeing denied connections in the firewall logs, you should create an explicit Deny Any rule and enable logging on this new rule. By default, many firewalls have an implicit deny rule that might not generate logs unless explicitly specified. Creating an explicit rule also allows for detailed logging and monitoring, ensuring that denied connections are logged properly.

Discussion

10 comments

ESP_SAPOption: D

Nov 3, 2020

Correct Answer is (D): Firewall Rules Logging has the following specifications: You can only enable Firewall Rules Logging for rules in a Virtual Private Cloud (VPC) network. Legacy networks are not supported. Firewall Rules Logging only records TCP and UDP connections. Although you can create a firewall rule applicable to other protocols, you cannot log their connections. You cannot enable Firewall Rules Logging for the implied deny ingress and implied allow egress rules. Log entries are written from the perspective of virtual machine (VM) instances. Log entries are only created if a firewall rule has logging enabled and if the rule applies to traffic sent to or from the VM. Entries are created according to the connection logging limits on a best effort basis. The number of connections that can be logged in a given interval is based on the machine type. Changes to firewall rules can be viewed in VPC audit logs. https://cloud.google.com/vpc/docs/firewall-rules-logging#specifications

lukedj87

Nov 11, 2020

Agree!

AzureDP900

Nov 28, 2022

Yes. D. Create an explicit Deny Any rule and enable logging on the new rule.

[Removed]Option: D

Nov 20, 2020

Ans - D

VidyasagarOption: D

Mar 24, 2021

D is correct

kumarp6Option: D

Jan 3, 2022

Answer is D

kumarp6Option: D

Jan 4, 2022

Answer is : D

small1_small2Option: D

Aug 22, 2022

Correct Answer is (D): Explicit deny rule is required to see the logs https://cloud.google.com/vpc/docs/firewall-rules-logging#specifications

pk349Option: D

Jan 14, 2023

• D. Create an explicit ******* Deny Any rule and enable logging on the new rule.

GurminderjitOption: D

Dec 11, 2023

D is the answer

dragos_dragos62000Option: D

Jan 15, 2024

Answer D

nkastanasOption: D

Jul 11, 2024

it is D