Exam Professional Cloud Network Engineer topic 1 question 66 discussion

Actual exam question from Google's Professional Cloud Network Engineer

Question #: 66
Topic #: 1

[All Professional Cloud Network Engineer Questions]

You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.
What should you do?

A. Enable logging on the default Deny Any Firewall Rule.
B. Enable logging on the VM Instances that receive traffic.
C. Create a logging sink forwarding all firewall logs with no filters.
D. Create an explicit Deny Any rule and enable logging on the new rule.

Show Suggested Answer

Suggested Answer: D 🗳️

by ESP_SAP at Nov. 3, 2020, 8:54 p.m.

Comments

Submit Cancel

ESP_SAP

Highly Voted 4 years, 7 months ago

Correct Answer is (D): Firewall Rules Logging has the following specifications: You can only enable Firewall Rules Logging for rules in a Virtual Private Cloud (VPC) network. Legacy networks are not supported. Firewall Rules Logging only records TCP and UDP connections. Although you can create a firewall rule applicable to other protocols, you cannot log their connections. You cannot enable Firewall Rules Logging for the implied deny ingress and implied allow egress rules. Log entries are written from the perspective of virtual machine (VM) instances. Log entries are only created if a firewall rule has logging enabled and if the rule applies to traffic sent to or from the VM. Entries are created according to the connection logging limits on a best effort basis. The number of connections that can be logged in a given interval is based on the machine type. Changes to firewall rules can be viewed in VPC audit logs. https://cloud.google.com/vpc/docs/firewall-rules-logging#specifications

upvoted 25 times