Exam Professional Cloud Network Engineer topic 1 question 10 discussion

I think correct answer should be D. https://cloud.google.com/blog/products/identity-security/google-cloud-firewall-rules-logging-how-and-why-you-should-use-it "Since we have implicit ingress and the denial rule is not being logged, we create a “deny all” rule with priority 65534 to capture anything that gets denied" https://cloud.google.com/vpc/docs/firewall-rules-logging

The correct answer is D. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs. To see logs for blocked traffic, you need to enable logging for traffic explicitly denied by firewall rules. In this case, the existing rule allows only HTTP traffic, and since RDP is not allowed, it is being denied. However, without a specific deny rule with logging enabled, you won't see logs for the blocked traffic.

Choose option D. When you create a new firewall rule with priority 65500 and set it to deny all traffic, and then enable logging, you effectively create a "catch-all" rule that logs all denied traffic. This can be useful for troubleshooting and identifying traffic that is being blocked by the firewall. Here's the breakdown: Priority 65500: Firewall rules are processed in ascending order of priority. By setting the priority to 65500, this rule becomes one of the last rules to be evaluated, effectively serving as a catch-all rule after other rules have been checked. Deny All Traffic: This rule denies all traffic, including HTTP traffic, RDP traffic, and any other traffic. It acts as a safety net to catch and log any unexpected or unwanted traffic. Enable Logs: Enabling logging for this rule allows you to see entries in the firewall logs for any traffic that matches this rule.

Answer is D, it's the only way to capture anything that would have otherwise been denied by the default deny all implicit rule

A is correct. Option B is not relevant as Remote Desktop Protocol uses port 3389, not port 22, which is used by SSH. Option C is not necessary as it would allow traffic on port 22 for SSH, but it does not address the issue with Remote Desktop Protocol. Option D is not a good solution because it would block all traffic, including legitimate traffic, and make it difficult to troubleshoot the issue.

D: • VPC Flow Logs interacts with firewall rules in the following ways: • Egress packets are sampled before egress firewall rules. Even if an egress firewall rule denies outbound packets, those packets can be sampled by VPC Flow Logs. • Ingress packets are sampled after ingress firewall rules. If an ingress firewall rule denies inbound packets, those packets are not sampled by VPC Flow Logs.

D is correct because the default deny-all rule does not have logging enabled

Firewall rule create on port 80 (http) He can't ingress to port 22 Create a new firewall rule on port 22 and check the logs. Answer is C. Option D is enable by default. Google create a two firewall rules when a project is created. One firewall rule for deny ingress traffic and another firewall rule for allow egress traffic.

D to see the blocked traffic, as asked...

D is correct answer

Answer is D

answer is D. implicit deny cant show logs you have to add new log with deny.

Answer is D

Asnwer is D: Implicit FW rule [ingress or egress] are NOT logged...

D is correct.

Initially I chose A. (Wrong). Correct is D. https://cloud.google.com/vpc/docs/flow-logs Ingress packets are sampled after ingress firewall rules. If an ingress firewall rule denies inbound packets, those packets are not sampled by VPC Flow Logs. --> it says, if an ingress firewall rule denies something, that won't be logged in VPC flow logs. That makes Option A out and wrong. for sake of explaination--> Egress packets are sampled before egress firewall rules. Even if an egress firewall rule denies outbound packets, those packets can be sampled by VPC Flow Logs. which means--> creating Option B and C -> makes no sense, as question talks about RDP. Option D -> by default without explanation is the answer. as you cannot monitor implied deny rules, you create a custom one to monitor. makes more sense.

D is incorrect because of the priority setting 65500, the implicit deny has lowest priority 65535, if you create a deny all rule in 65500, it would have impact on other rules with priority between 65500 - 65534. A is correct in this case . For ingress traffic, VPC flow logs works after firewall rule , since firewall rule only allow HTTP traffic, it means the rest blocked traffic will be sampled by VPC flow log