Effective CISSP Questions

A firewall with an external interface configured as and a sole internal interface,, receives egress traffic having a source address Which one of the following actions will the firewall most likely take? (Wentz QOTD)
A. Drop the traffic
B. Forward the traffic as is
C. Forward the traffic after replacing with
D. Send an ICMP echo request to to validate the traffic

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is Drop the traffic.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

This question is written based on the following configuration:

IP Spoofing
IP Spoofing

The IP address,, of the firewall’s internal interface implies the firewall is connected to an internal network with the IP range, and it should receive egress traffic originating from the IP range only. In other words, the, which belongs to, is out of the range and might be spoofed. It’s reasonable for the firewall to drop the traffic with spoofed IP.

Why should I perform egress filtering?

Egress filtering prevents you from sending unwanted traffic out to the Internet. This could include leaking out private address space or stopping compromised systems attempting to communicate with remote hosts. Egress filtering can also help prevent information leaks due to misconfiguration, as well as some network mapping attempts. Finally, egress filtering can prevent internal systems from performing outbound IP spoofing attacks.

Source: SANS Egress Filtering FAQ

Physical Interface and Layer 3 Sub-interfaces

A Sole internal interface and a Sole internal network are quite different. If the case is the Sole internal network – then most probably fw will drop the traffic. Sole internal interface doesnt mean there is no another router/fw behind it – so the traffic can be forwarded as is.

Source: Khoren Mamikonyan

Khoren is right. However, there is more work to do. When it comes to Option B. Forward the traffic as is, it requires many assumptions for the firewall to forward the traffic as is. For example, many internal networks exist; one covers They are well connected, routing can work adequately, and firewall policies allow the egress traffic with a source address to pass through. This video demonstrates how to configure a physical network interface to support multiple layer 3 sub-interfaces.


一台防火牆的外部介面IP設定為10.10.10.10/24,其唯一的內部介面的IP則是192.168.0.254/25. 這台防火牆接收到來源位址為192.168.0.7的對外(egress)流量。以下那項動作防火牆最有可能採取? (Wentz QOTD)
A. 丟棄該流量
B. 按原樣轉發流量
C. 將192.168.0.7替換為10.10.10.10後轉發流量
D. 向192.168.0.7發送ICMP echo請求以驗證流量

Leave a Reply