PROFESSIONAL-CLOUD-NETWORK-ENGINEER · Question #206
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Question #206: Real Exam Question with Answer & Explanation
The correct answer is D: Configure a firewall rule to match the source/destination IP addresses of the VMs, and use the. With Cloud Next Generation Firewall Enterprise, after deploying firewall endpoints, you must create firewall rules that match the relevant traffic and set the action to 'apply_security_profile_group'. The security profile group is what links the firewall rule to the IPS engine. T
Question
You are configuring the intrusion prevention service (IPS) feature on Cloud Next Generation Firewall Enterprise. You deployed your firewall endpoints and you need to inspect the traffic of the VMs. What should you do?
Options
- AConfigure Packet Mirroring to match the source/destination IP addresses of the VMs.
- BConfigure a firewall rule to match the source/destination IP addresses of the VMs, and use the
- CConfigure a firewall rule to match the hostnames of the VMs, and use the
- DConfigure a firewall rule to match the source/destination IP addresses of the VMs, and use the
Explanation
With Cloud Next Generation Firewall Enterprise, after deploying firewall endpoints, you must create firewall rules that match the relevant traffic and set the action to 'apply_security_profile_group'. The security profile group is what links the firewall rule to the IPS engine. Traffic is matched by source/destination IP addresses (not hostnames, as VMs do not resolve firewall rules by hostname). Option D correctly states: match by source/destination IP and use the apply_security_profile_group action. Option A (Packet Mirroring) is a separate feature for passive traffic inspection and does not enforce IPS inline. Options B and C are incorrect: Option B uses the wrong action type, and Option C incorrectly attempts to match by hostname.
Topics
Community Discussion
No community discussion yet for this question.