How do you implement an allow-list based firewall rule set using an address-list?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the MTCNA Foundation Exam. Prepare with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your certification!

Multiple Choice

How do you implement an allow-list based firewall rule set using an address-list?

Explanation:
Using an address-list to control access means you keep a named list of addresses and write firewall rules that refer to that list. The important detail is rule order: the rule that accepts traffic from the listed addresses must be evaluated before a final drop, so allowed sources aren’t blocked by a later rule. In this setup, a list called blocked-subnet is created and populated with 10.0.0.0/8. A filter rule then drops any input traffic whose source is in that list. A final rule accepts all other input traffic. The effect is that traffic from 10.0.0.0/8 is denied, and everything else is allowed. This demonstrates using an address-list to define a set to deny and then a catch-all allow, which is a practical way to realize an allow-list pattern by explicitly listing what to block and permitting the rest. For a stricter allow-list where you explicitly enumerate allowed sources, you would define an allowed-address list and place an accept rule for that list before a final drop, ensuring non-listed sources are blocked. The key idea remains: reference the address-list in the rule and order the accept-before-drop correctly.

Using an address-list to control access means you keep a named list of addresses and write firewall rules that refer to that list. The important detail is rule order: the rule that accepts traffic from the listed addresses must be evaluated before a final drop, so allowed sources aren’t blocked by a later rule.

In this setup, a list called blocked-subnet is created and populated with 10.0.0.0/8. A filter rule then drops any input traffic whose source is in that list. A final rule accepts all other input traffic. The effect is that traffic from 10.0.0.0/8 is denied, and everything else is allowed. This demonstrates using an address-list to define a set to deny and then a catch-all allow, which is a practical way to realize an allow-list pattern by explicitly listing what to block and permitting the rest.

For a stricter allow-list where you explicitly enumerate allowed sources, you would define an allowed-address list and place an accept rule for that list before a final drop, ensuring non-listed sources are blocked. The key idea remains: reference the address-list in the rule and order the accept-before-drop correctly.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy