Given the network diagram, traffic must be permitted for SSH and MYSQL from the DMZ to the SERVER zones, crossing two firewalls. In addition, traffic should be permitted from the SERVER zone to the DMZ on SSH only.
Which rule group enables the required traffic?
A.
B.
C.
D.
To enable the required traffic between the DMZ and SERVER zones as described, the rule group needed must permit SSH and MYSQL from the DMZ to the SERVER zones, and SSH from the SERVER zone to the DMZ. From the provided options, Option C clearly specifies these rules accurately. It shows rules that permit SSH and MYSQL from DMZ to SERVER, and SSH from SERVER to DMZ, while traversing the interlink zone. Therefore, Option C is the correct rule group to enable the required traffic.
I can't see the image properly
Graphics are way low res.
C is correct as the packet keep same sorce and destination addresses intact so the rules should be configured accordingly
Correct
Answer is A, it can't be B because the rules in that answer do not permit traffic to/from the interlink zone, it is a zone so remember that would be interzone traffic and you need a rule to permit that, the people that say the server zone is defined on the FWs so the answer is B and bla bla bla are not even looking at the diagram...
B is correct Option C does not have the rule to allow Server>DMZ zone traffic on SSH
Answer is C as the firewalls are separated by the interlink zone. Firewall A would not have the Server zone and Firewall B would not have the DMZ zone as they are not connected to the respective firewalls. Therefore C is correct.
I see nothing on the image
needs more jpeg
B is the correct answer. It is the rule that allows the require traffic between both zones. And yeah you have to zoom in real close at the image as it is very poor quality!!!
I think that B is not correct since FWB might not have Server Zone defined. And since "an interface can belong to only one zone" (PCNSA Study Guide zone section) that means the only zone associated to interlink interface is the Interlink one (and cannot be DMZ/Server). That is why I would say C.
Exactly
The server zone is defined on FW B and it shows it in the policies. All it means for an interface can only belong to one zone is you cannot have two zones on the same exact interface, but that doesn't have anything to do with this question as the server zone is already configured on Firewall B and is visible within the policies -- This aspect does not pertain to the question at hand. Further, there's no reason to establish policies for the interlink zone. The firewall will inspect the traffic and permit it, provided there's an allow policy. This process is automatic, without needing specific policies for the interlink zone.