AZ-800 - Microsoft Azure Networking Solutions Azure Firewall Policies Questions and Answers

Question 1

An organization wants to enforce a mandatory set of corporate security rules on all Azure Firewalls while allowing individual application teams to add their own specific rules. The corporate rules must always be processed before the application-specific rules. Which Azure Firewall Policy configuration should be used?

Accepted Answer

Create a parent Firewall Policy for corporate rules and child policies for each application team that inherit from the parent.

Answer

Azure Firewall Policies support a hierarchical structure. A parent policy can define base rules that are inherited by child policies. Rules in the parent policy are always processed before rules in the child policy, ensuring that corporate security standards are enforced first.

Question 2

Which of the following Azure Firewall Policy features requires the Premium SKU to be enabled?

Accepted Answer

TLS Inspection

Answer

TLS Inspection, which allows the firewall to decrypt and inspect HTTPS traffic, is a feature exclusive to the Azure Firewall Premium SKU. The other features listed, such as DNS Proxy, Threat Intelligence, and FQDN filtering, are available in the Standard SKU.

Question 3

A network administrator is creating a new Azure Firewall Policy. Rules are organized within Rule Collections, which are in turn grouped into what higher-level container that is processed based on a priority value from 100 to 65,000?

Accepted Answer

Rule Collection Groups

Answer

In an Azure Firewall Policy, rules are placed in Rule Collections (DNAT, Network, or Application). These Rule Collections are contained within Rule Collection Groups, which are the primary unit of processing and are evaluated based on their priority number.

Question 4

An administrator needs to migrate an existing Azure Firewall that uses classic rules to a new Azure Firewall Policy without causing downtime. What is the recommended first step in this process?

Accepted Answer

Use the 'Migrate to firewall policy' option on the firewall's overview page to create a new policy from the existing rules.

Answer

The Azure portal provides a built-in, non-disruptive migration path. On the firewall's overview page, selecting 'Migrate to firewall policy' will create a new policy resource based on the firewall's current classic rule configuration, which can then be associated.

Question 5

A parent Firewall Policy contains a Network Rule Collection Group with a priority of 300. A child policy inheriting from it contains a Network Rule Collection Group with a priority of 150. How will Azure Firewall process these rule collection groups?

Accepted Answer

The parent policy's group will be processed first because parent rules always have precedence.

Answer

When using policy inheritance, Rule Collection Groups from the parent policy are always processed before Rule Collection Groups in the child policy, regardless of their priority numbers. After the parent's rules are processed, the child's rules are then processed based on their own priority.

AZ-800 - Microsoft Azure Networking Solutions Practice Test

AZ-800 - Microsoft Azure Networking Solutions Practice Test

AZ-800 - Microsoft Azure Networking Solutions Azure Firewall Policies Questions and Answers