Google Cloud Professional Cloud Network Engineer — Question 212

Your organization deployed a mission critical application that is expected to be a new revenue source. As part of the planning and deployment process, you have recently implemented a security profile with the default set of threat signatures provided by Cloud Next Generation Firewall (Cloud NGFW). This application is the only application running on this project. You need to increase the security posture of the application to log the threat and drop the related packets. What should you do?

Answer options

• A. Configure a new default threat signature with Deny All to all severity options. Review the logs to understand the impact.
• B. Set up a Linux VM as the frontend gateway for the application. Create iptables rules to drop all packets, excluding the application port.
• C. For all severity options (critical, high, medium, low and informational) in the security profile, change the default override action to Deny.
• D. Configure Cloud Scheduler to run a task that checks the Cloud NGFW logs to verify the threats. Configure the task to create a security profile with each signature ID set to override the default action.

Correct answer: C

Explanation

The correct answer is C because changing the default override action to Deny for all severity levels ensures that any detected threats are logged and the corresponding packets are blocked, enhancing the application's security. Option A is not ideal as it could lead to an overly restrictive policy with potential negative impacts on legitimate traffic. Option B does not leverage the capabilities of Cloud NGFW effectively, and option D focuses on log monitoring rather than immediate threat mitigation.