GCP Professional Cloud Security Engineer Practice Question
Your security team wants to block all ingress traffic coming from IP addresses that Google has classified as active command-and-control (C2) endpoints. You are using Cloud Next Generation Firewall (Cloud NGFW) hierarchical firewall policies for the entire organization. Which configuration should you implement to meet the requirement while minimizing ongoing operational effort?
Enable Cloud Armor's preconfigured malware rule at the HTTP(S) load balancer front end to filter requests from malicious sources.
Publish a custom list of known C2 addresses in Cloud Storage and reference it from an ingress firewall rule that logs but does not block matching traffic.
Create a regional egress firewall rule that denies traffic to the threat-intel.botnet destination IP match condition.
Add an organization-level ingress firewall policy rule that denies traffic with the threat-intel.c2 source IP match condition and apply it to all targets.
Cloud NGFW supports threat intelligence (TI) as a match condition in hierarchical firewall policies. You can create an ingress policy rule whose match statement specifies threat-intel.c2 (the Google-maintained list of known command-and-control IP addresses) as the source. Setting the rule's action to deny drops any packets originating from IPs on that list before they reach your VPC networks. Because the list is managed and updated by Google, no manual maintenance is required. Other options either rely on manual IP list management, use the rule in the wrong direction (egress), or would only log rather than block the traffic, so they do not both block C2 sources and minimize operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud NGFW and how does it help in threat management?
Open an interactive chat with Bash
What is `threat-intel.c2`, and why is it used in hierarchical firewall policies?
Open an interactive chat with Bash
How do hierarchical firewall policies work in Google Cloud?
Open an interactive chat with Bash
What is Cloud Next Generation Firewall (Cloud NGFW)?
Open an interactive chat with Bash
What is threat intelligence (TI) in hierarchical firewall policies?
Open an interactive chat with Bash
How does the match condition `threat-intel.c2` work in Cloud NGFW policies?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .