When is the default deny all policy an exception in zone-based firewalls?
A. When traffic traverses two interfaces in in the same zone
B. When traffic terminates on the router via the self zone
C. When traffic sources from the router via the self zone
D. When traffic traverses two interfaces in different zones
When an interface is assigned to a zone, the hosts connected to that interface are included in that zone. By default, traffic is allowed to flow between interfaces that are members of the same zone, while a default “deny-all” policy is applied to traffic moving between zones.
Page 5
https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/fwzbf.pdf
Answer A is correct
B. is wrong because it’s not mentioned self zone as a source
C. is wrong because it’s not mentioned self zone as a destination
I think A is correct
Page 385. CCNA Security 210-260 Official Cert Guide.
Regarding the self zone, if there is a zone pair but no policy is applied, the default behavior
is to forward all traffic (which is different from the traffic between manually created zones).
When configuring a zone pair that includes the self zone, the administrator must allow management
traffic to be allowed so as to prevent administrative connections from being denied.
I think that A is not correct
Traffic between equal security level interfaces is by default denied but you can change this behavior.
To change this, use command:
ASA#configure terminal
ASA(config)#same-security-traffic permit inter-interface
https://www.grandmetric.com/knowledge-base/design_and_configure/how-to-enable-traffic-between-same-security-level-interfaces-cisco-asa/
Correct answer is B.
You alter the default behavior of DENY ALL using the “same-security-traffic permit inter-interface”, therefore A is not right (traffic is not permitted by default on same zone interfaces).
Traffic must terminate to the ASA’s self-zone for traffic to be permitted without prior configuration (override implicit DENY ALL).
https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/fwzbf.pdf
The “Self” zone is a default zone that defines the router itself as a separate security zone, which you
can specify as either the source or destination zone. The Self zone is the only exception to the default
“deny all” policy. All traffic to any router interface is allowed until explicitly denied.
The correct answer is B.
Last answer had this explanation
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080 8bc994.shtml
Rules For Applying Zone-Based Policy Firewall
Router network interfaces’ membership in zones is subject to several rules that govern interface behavior, as is the traffic moving between zone member interfaces:
A zone must be configured before interfaces can be assigned to the zone. An interface can be assigned to only one security zone. All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.
Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone. In order to permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone. “The self zone is the only exception to the default deny all policy”
So why is A and not C?