350-401 · Question #50
350-401 Question #50: Real Exam Question with Answer & Explanation
The correct answer is D: Inline. NGFW Deployment Modes Explained Inline mode (D) is correct because the firewall is physically inserted into the network path, meaning all traffic must pass through the device. This allows it to actively inspect, allow, or block flows in real time - making it the only mode capable
Question
Which NGFW mode blocks flows crossing the firewall?
Options
- APassive
- BTap
- CInline tap
- DInline
Explanation
NGFW Deployment Modes Explained
Inline mode (D) is correct because the firewall is physically inserted into the network path, meaning all traffic must pass through the device. This allows it to actively inspect, allow, or block flows in real time - making it the only mode capable of enforcing security policy by dropping malicious traffic.
Why the distractors are wrong:
- Passive (A) - receives a copy of traffic out-of-band and can only analyze it; it cannot block anything since it's not in the traffic path
- Tap (B) - similar to passive; uses a network TAP to mirror traffic for monitoring purposes only, with no ability to interfere with flows
- Inline Tap (C) - a hybrid mode where the NGFW sits inline but forwards traffic without blocking, functioning like a monitor while staying in the path; it inspects but does not enforce blocking
💡 Memory Tip: Think of Inline = In the way. If the firewall is literally "in the line" of traffic, it controls what passes through - just like a bouncer standing in the doorway rather than watching from across the room.
Topics
Community Discussion
No community discussion yet for this question.