Comprehensive and Detailed Step-by-Step Explanation:
1. How Firewalls Match Security Policies:
Firewalls usesecurity policiesto define rules for filtering traffic.
Each policy containsmatching conditions(e.g., source IP, destination IP, protocol, etc.) and anaction(e.g., permit or deny).
Traffic is evaluated against these policies in sequential order, and the first matching policy is applied.
2. Analysis of Each Statement:
Option A: Multiple values can be configured for a single matching condition, and the values are logically ANDed.
Incorrect.
Multiple values for a single matching condition (e.g., multiple source IPs) are logicallyORed, not ANDed. For example, traffic from any of the specified source IPs matches the policy.
Option B: If a security policy contains multiple matching conditions, the relationship between them is AND.
Correct.
When a policy has multiple matching conditions (e.g., source IP AND destination IP AND protocol), all conditions must be met for the policy to match.
Option C: The system has a default security policy named default, where all matching conditions are any and the default action is permit.
Incorrect.
The default security policy typically denies all traffic unless explicitly permitted by user-defined policies.
Option D: When multiple security policy rules are configured, they are sorted in a list by configuration sequence by default. A security policy rule configured earlier is placed higher in the list and has a higher priority.
Correct.
Security policies are processed in sequential order based on their configuration sequence. Policies configured earlier have higher priority and are evaluated first.
3. Summary:
The correct statements areBandD.
[Reference:, Huawei HCIA-Datacom Study Guide, Chapter "Firewall Security Policy Matching.", , , ]
