SY0-701 Question #17: Real Exam Question with Answer & Explanation

Question

While troubleshooting a firewall configuration, a technician determines that a "deny any" policy should be added to the bottom of the ACL. The technician updates the policy, but the new policy causes several company servers to become unreachable. Which of the following actions would prevent this issue?

Options

• ADocumenting the new policy in a change request and submitting the request to change
• BTesting the policy in a non-production environment before enabling the policy in the production
• CDisabling any intrusion prevention signatures on the 'deny any' policy prior to enabling the new
• DIncluding an 'allow any1 policy above the 'deny any' policy

Explanation

Testing the new "deny any" policy in a non-production environment first (B) is correct because it allows the technician to observe the policy's real-world impact - including which traffic gets blocked - without disrupting live servers, giving time to refine the rules before production deployment.

Why the distractors are wrong:

• A is wrong because submitting a change request documents the change but does nothing to validate whether the policy is safe - paperwork alone doesn't prevent misconfiguration.
• C is wrong because disabling IPS signatures is unrelated to the core problem; the issue is an overly broad ACL rule blocking legitimate server traffic, not intrusion prevention triggering false positives.
• D is wrong because placing "allow any" above "deny any" would defeat the entire purpose of the deny rule - it would permit all traffic and render the firewall policy useless.

Memory tip: Think of ACL rules like a bouncer checking a list from top to bottom - the first matching rule wins. Always test before you block, because a blanket "deny any" at the bottom only works correctly if all the legitimate "allow" rules above it are already correct and complete.

No community discussion yet for this question.