PROFESSIONAL-CLOUD-NETWORK-ENGINEER · Question #81
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Question #81: Real Exam Question with Answer & Explanation
The correct answer is D: Create an explicit Deny Any rule and enable logging on the new rule.. In GCP, the implied 'deny all ingress' rule is a built-in rule that cannot be modified, deleted, or have logging enabled on it directly. This is why option A fails - you cannot simply 'enable logging' on the default implicit deny rule. To capture denied connection logs, you must
Question
You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue. What should you do?
Options
- AEnable logging on the default Deny Any Firewall Rule.
- BEnable logging on the VM Instances that receive traffic.
- CCreate a logging sink forwarding all firewall logs with no filters.
- DCreate an explicit Deny Any rule and enable logging on the new rule.
Explanation
In GCP, the implied 'deny all ingress' rule is a built-in rule that cannot be modified, deleted, or have logging enabled on it directly. This is why option A fails - you cannot simply 'enable logging' on the default implicit deny rule. To capture denied connection logs, you must create an explicit deny-all firewall rule (lower priority number means higher priority; a high priority number like 65534 still runs before the implied rule) and enable logging on that explicit rule. Option C (a logging sink) only forwards logs that are already being generated - if no deny logs exist because logging isn't enabled on the deny rule, the sink has nothing to forward. Option B (VM instance logging) captures OS-level logs, not firewall-level deny events.
Topics
Community Discussion
No community discussion yet for this question.