exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 186 discussion

A company wants to use an AWS Network Firewall firewall to secure its workloads in the cloud through network traffic inspection. The company must record complete metadata information, such as source/destination IP addresses and protocol type. The company must also record all network traffic flows and any DROP or ALERT actions that the firewall takes for traffic that the firewall processes. The Network Firewall endpoints are placed in the correct subnets, and the VPC route tables direct traffic to the Network Firewall endpoints on the path to and from the internet.

How should a network engineer configure the firewall to meet these requirements?

  • A. Create a firewall policy to ensure that traffic is processed by stateless or stateful rules according to needs. Select Amazon CloudWatch Logs as the destination for the flow logs.
  • B. Create a firewall policy to ensure that traffic is processed by stateless or stateful rules according to needs. Configure Network Firewall logging for alert logs and flow logs.
    Select a destination for logs separately for stateful and stateless engines.
  • C. Create a firewall policy to ensure that a stateful engine processes all the traffic. Configure Network Firewall logging for alert logs and flow logs. Select a destination for alert logs and flow logs.
  • D. Create a firewall policy to ensure that a stateful engine processes all the traffic. Configure VPC flow logs for the subnets that the firewall protects. Select a destination for the flow logs.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
46f094c
1 month ago
Selected Answer: C
B doesn't mention the "engine". "...Firewall logging is only available for traffic that you forward to the stateful rules engine..." so no engine, no logging
upvoted 1 times
...
Spaurito
1 month, 2 weeks ago
B - You can configure AWS Network Firewall logging for your firewall's stateful engine. Logging gives you detailed information about network traffic, including the time that the stateful engine received a packet, detailed information about the packet, and any stateful rule action taken against the packet. The logs are published to the log destination that you've configured, where you can retrieve and view them. This meets the requirements best.
upvoted 1 times
Spaurito
1 month, 2 weeks ago
Here is a demo of the Network Firewall Dashboard. Defines the separate logging for Stateful and Stateless.
upvoted 1 times
...
...
KynExam
3 months ago
Selected Answer: C
By doc, already sent, voting to help https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html Note Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy.
upvoted 2 times
...
seongheon
3 months ago
Selected Answer: C
C : Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy.
upvoted 3 times
...
arturogomezb
6 months ago
Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy. For information about these actions settings, https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html
upvoted 1 times
luisgu
3 months, 3 weeks ago
so, correct answer is C; option B cannot guarantee the traffic is processed by the stateful engine
upvoted 1 times
...
...
acloudguru
7 months, 3 weeks ago
Selected Answer: B
Option D: Using VPC Flow Logs would capture network traffic flows, but it would not capture the specific DROP or ALERT actions taken by the AWS Network Firewall. Additionally, VPC Flow Logs do not provide the same level of detail and metadata as the Network Firewall flow logs
upvoted 2 times
...
JoellaLi
8 months, 2 weeks ago
Selected Answer: B
You can configure AWS Network Firewall logging for your firewall's stateful engine. Logging gives you detailed information about network traffic, including the time that the stateful engine received a packet, detailed information about the packet, and any stateful rule action taken against the packet. The logs are published to the log destination that you've configured, where you can retrieve and view them.
upvoted 2 times
JoellaLi
8 months, 2 weeks ago
You can record flow logs and alert logs from your Network Firewall stateful engine. • Flow logs are standard network traffic flow logs. Each flow log record captures the network flow for a specific standard stateless rule group. • Alert logs report traffic that matches your stateful rules that have an action that sends an alert. A stateful rule sends alerts for the rule actions DROP, ALERT, and REJECT.
upvoted 1 times
...
...
KobDragoon
8 months, 3 weeks ago
Selected Answer: B
B is the right answer, not all traffic needs to be processed by the stateful engine like C suggests
upvoted 2 times
Spaurito
1 month, 2 weeks ago
Actually, the requirement states, "record all network traffic flows". This would lead to need both Stateful and Stateless engines.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago