Which of the following statements is true regarding ZFW traffic action characteristics? (Select the best answer.)
- The pass action is bidirectional and automatically permits return traffic.
- The inspect action is unidirectional and can be used to maintain state information.
- The drop action silently discards packets and does not generate ICMP host unreachable messages.
- The pass action can provide an audit trail including session start, stop, and duration values.
The drop action in a zonebased policy firewall (ZFW) configuration silently discards packets and does not generate Internet Control Message Protocol (ICMP) host unreachable messages. ZFWs include many of the features of previous firewall versions, including stateful packet inspection and Uniform Resource Locator (URL) filtering. However, several new firewall features are also included, such as the ability to create security zones to which security policies can be applied. With ZFWs, policies are applied to a security zone pair rather than to an interface. This provides for more granular implementation of firewall policies? different policies can be applied to hosts connected to the same interface. Before a policy can be applied to an interface, the interface must be added to a zone. To permit traffic from one zone to another, you must create a zone pair between the zones. Once you have configured zones and zone pairs, you can apply one of three actions, pass, drop, or inspect, to the traffic between the zones.
The drop action is the default action that is applied to traffic sent from one zone to another on a router that is configured with a ZFW. Unless a policy has been configured to allow traffic to be sent between two zones, the traffic will be dropped.
The pass action can be applied to permit traffic from one zone to another. However, because the pass action is unidirectional, no return traffic will be allowed by the pass action. Another policy would need to be applied in the destination zone to allow return traffic to the originating zone.
The inspect action can be used to maintain state information for a connection sent through a ZFW. Consequently, unlike the pass action, the inspect action is bidirectional and will allow return traffic to the zone from the destination. For example, if a ZFW is used in between an internal network and the Internet, the inspect action can be used to allow the internal hosts to retrieve information from the Internet. That is, data from the Internet will be permitted by the inspect action. In addition, the inspect action can provide an audit trail including session start time, stop time, duration, quantity of data transferred, and source and destination IP addresses.