AP Cybersecurity Unit 3 Lesson 3 Exercise 1
Exercise 1 — Firewall Rule Analysis
6 questions — Evaluate firewall configurations and packet filtering decisions
Brightpath University serves 15,000 students and 2,000 faculty across a main campus and two satellite locations. The campus network includes a student residence network, an academic research network with sensitive grant data, a public-facing web server cluster, and an administrative network handling financial aid and payroll. The IT security team is reviewing firewall policies after a recent audit flagged several misconfigurations.
(A) Incorrect — stateful firewalls track connection state; this firewall explicitly does not.
(B) Incorrect — NGFWs perform deep packet inspection of payloads; this firewall only examines headers.
(D) Incorrect — WAFs are application-layer devices focused on HTTP traffic; this operates at the network/transport layer.
Rule 1: ALLOW TCP from 10.0.0.0/8 to ANY on port 443
Rule 2: DENY TCP from 10.0.50.0/24 to 192.168.1.100 on port 443
Rule 3: DENY ALL
A packet arrives from 10.0.50.15 destined for 192.168.1.100 on port 443. What happens to this packet?
(A) Incorrect — Rule 2 is never reached because Rule 1 already matches and is processed first.
(C) Incorrect — Rule 3 only applies to packets that do not match any earlier rule.
(D) Incorrect — firewalls do not default to allow on rule conflicts; they apply first-match logic.
I. A stateless firewall would require a separate inbound rule explicitly allowing traffic from the website’s IP to the student’s IP on the ephemeral port.
II. A stateful firewall would automatically allow the return packet because it recognizes it as part of an established TCP session.
III. A next-generation firewall would block the return packet unless the website’s domain appears on an approved application allowlist.
(A) Incomplete — Statement II is also correct.
(B) Incomplete — Statement I is also correct.
(D) Incorrect — Statement III misrepresents how NGFWs handle return traffic.
DENY ALL rule. A new research lab needs access to an external genomics database on TCP port 8443. The IT team has not yet created a rule for this traffic. What will happen when a researcher tries to connect?(A) Incorrect — default-deny firewalls do not make exceptions based on port similarity to known services.
(B) Incorrect — standard firewalls do not generate user-facing prompts; they silently drop or reject packets.
(D) Incorrect — firewalls apply rules consistently to every packet; there is no “first attempt” exception.
(B) Incorrect — stateful firewalls specifically track connection states; that is their defining feature.
(C) Incorrect — all firewalls can filter by port number; this is a basic capability.
(D) Incorrect — firewalls clearly distinguish traffic direction; outbound rules are separate from inbound.
(B) Incorrect — Rule 1 (DENY ALL) blocks everything; Rules 2 and 3 are never evaluated.
(C) Incorrect — Rule 1 allows ANY source, which includes students. The student DENY in Rule 2 is never reached because Rule 1 already matched.
(D) Incorrect — Rule 2 allows ANY source after the student deny, which means any non-student IP (including guest, IoT, etc.) can access payroll.
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]