Exam 300-710 topic 1 question 12 discussion

ans: C

There is no DMZ setup during initial deployment of a CISCO NGFW using the FMC GUI... You would have to specify an interface designated to receive DMZ traffic, associate it to a security zone designated to DMZ traffic and lastly configure a policy to act on the DMZ traffic.... However, when creating a NEW access control policy you have to choose from one of the 3 default actions: Block all traffic Intrusion Prevention Network Discovery So Technical C would be correct because there is no DMZ deployment during initial setup but if you were to setup a DMZ after initial setup you would most likely block all traffic by default and change it after to allow all traffic... Because it's a DMZ... I would say C.

This is a tricky questions, both answers can be correct. The DMZ is here to throw us off, the default action for the FMC in the policy rules is Block ALL Traffic. Would they count this as a policy? Only the person who wrote the question knows. However, there are no Policies configured at all, that's why after you create your interface, you need to go and add your policy rules or it will be blocked by default. That's why I say it depends on what they are looking for with this question. Is there a "deny ip any" yes sure, but that's the default for everything and not only the DMZ, does it count as a policy? I don't think so, because when you go to the ACP it will tell you that you don't have any rules and you have to create a rule. With that being said, I will go with the provided answer and pray for the best.

No policy rule is included in the deployment of a local DMZ during the initial deployment of a Cisco NGFW through the Cisco FMC GUI. The administrator must create the necessary policy rules to allow traffic to and from the DMZ.

If we ask ourselves "Would traffic flow through a vanilla deployed FTD?" Then the answer would be no, which is why I would go with B

I will go for C .. strange question though

Answer is B

Wrong "deny ip any"