ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-720 All Questions

View all questions & answers for the AZ-720 exam
Go to Exam

Exam AZ-720 topic 5 question 56 discussion

Actual exam question from Microsoft's AZ-720
Question #: 17
Topic #: 5
[All AZ-720 Questions]

You manage an Azure Firewall named FW1. FW1 includes a policy named Policy1. The policy contains a single rule collection group with the priority 300 and the following settings:

• A network rule collection with the priority 500
• A destination network address translation (DNAT) rule collection with the priority 300

You use the public IP address assigned to FW1 to connect to an Azure virtual machine (VM) named VM1 by using Remote Desktop from a home computer.

An administrator creates a policy named Policy2. The policy contains a single rule collection group with the priority 500 and the following settings:

• A network rule collection with the priority 600
• A DNAT rule collection with the priority 400
• Threat intelligence
• TLS inspection

The administrator configures Policy2 as a parent of Policy1.

You observe that you no longer can connect to VM1 with Remote Desktop by using the public IP address assigned to FW1 from your home computer.

You need to repair the connection.

What should you do?

  • A. Increase the priority of the DNAT rule collection of Policy2.
  • B. Increase the priority of the rule connection group of Policy2.
  • C. Modify TLS inspection settings.
  • D. Modify threat-intelligence settings.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by cris_exam at April 23, 2023, 11:04 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
cris_exam
2 years, 2 months ago
Selected Answer: D
D - Threat Intelligence is what I would check as already explain in my other comment.
upvoted 1 times
...
cris_exam
2 years, 2 months ago
A or B cannot be the answer. Parent Policy takes precedence over any child policy and hence increasing the prio on either the DNAT rule collection or the Group itself, makes no sense, as it has priority anyway. https://learn.microsoft.com/en-us/azure/firewall/rule-processing#rule-processing-using-firewall-policy Then C is not the answer also as this is specific for OUTBOUND traffic and since we are talking about DNAT (INBOUND), it's not appliable. Then D, is what I chose as it's the most probable cause for the deny - even though by default Threat Intelligence is in Alert Mode, it's not specified if it was changed or not and since the answer says "modify Threat intelligence settings" but also based on this below doc, I would go with D. https://learn.microsoft.com/en-us/azure/firewall/rule-processing#threat-intelligence "Threat-intelligence filtering may deny traffic before any configured rules are processed."
upvoted 2 times
terawatt
1 year, 11 months ago
The information provided in the question doesn't specifically state that Threat Intelligence is blocking the traffic, but given the provided options and your analysis, option D seems the most plausible. In the context of a multiple-choice exam, and given these options, I would probably go with option D: "Modify threat-intelligence settings". However, it's important to note that, in a real-world scenario, further investigation would be necessary. Changes to the settings, especially security settings like Threat Intelligence, should not be made without a clear understanding of what's causing the issue to avoid potential security risks. Also, it is generally better to adjust the specific rules causing the issue rather than modifying global settings.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel