Exam SY0-701 topic 1 question 585 discussion

B. Firewall Explanation: Firewall logs monitor and record traffic that passes through the network perimeter. They typically include source IP addresses, destination ports, protocols, and whether the traffic was allowed or blocked. Since port scans are a type of network reconnaissance, the firewall is the best place to identify external IPs attempting to scan ports. Other Options: A. OS security – Logs events on the local system (e.g., logins, policy changes), not ideal for network-level scans. C. Application – Focuses on app-specific events (e.g., errors, user activity), unlikely to capture port scans. D. Endpoint – May log network activity but usually doesn't capture full scan details like a perimeter firewall would. Correct answer: B. Firewall

Firewall logs are the best source to review when investigating port scans because: Firewalls sit at the network edge and are designed to log all inbound and outbound connection attempts, including scans. They record key details like: Source IP address Destination port Action taken (allowed/blocked)

A firewall log captures network traffic activity at the edge of a network, including: Port scan attempts Source and destination IP addresses Ports and protocols used Allow/Deny actions So, if a port scan is detected, the firewall log is the most appropriate place to check for the attacker’s source IP address.