CNX-001 CompTIA CloudNetX Exam Questions and Answers

Firewalls → VPN tunnel down

The IPsec tunnel between on-prem Firewall 1 and cloud Firewall 2 (ipip0/ipip2) is down, so no traffic can traverse to the cloud.

Application NSG → Misconfigured rule

There’s a “block” rule for 10.3.9.0/24 → 192.2.1.0/24, preventing legitimate on-prem clients from reaching Application A.

Comprehensive and Detailed Explanation From Exact Extract:

A Web Application Firewall (WAF) is primarily used for inspecting HTTP/HTTPS requests and filtering out malicious traffic, such as SQL injection or cross-site scripting (XSS) attacks. However, WAFs do not restrict access based on geographical location by default.

To control access to the cloud-hosted application based on geographical location, the correct measure is to implement geo-restriction (geo-blocking). This technique limits access to cloud-based resources by using the source IP’s geographical origin. Geo-restriction is typically enforced at the cloud firewall or load balancer level.

Relevant Extract from CompTIA CloudNetX CNX-001 Official Objectives:

“Cloud access control policies can enforce geo-restriction settings, ensuring applications and services are only accessible from authorized geographic regions.”

Also found under “Security Controls in Cloud Deployments” section:

“Geo-restriction uses IP geolocation data to restrict access to services based on geographic criteria, supporting compliance and security requirements.”

================================================

Comprehensive and Detailed Explanation From Exact Extract:

This scenario describes a classic example of social engineering. An attacker impersonated the help desk and convinced the user to change their password, likely to one the attacker controlled. Social engineering attacks manipulate human behavior to bypass technical security measures.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Social Engineering Threats”:

“Social engineering involves manipulating individuals to perform actions or divulge confidential information, such as passwords, often by impersonating trusted entities like IT support.”

Other options:

A. Initialization vector relates to encryption vulnerabilities.

B. On-path (formerly man-in-the-middle) requires network interception, which is not described here.

C. Evil twin is a rogue Wi-Fi AP attack, not applicable to this VPN login context.

Comprehensive and Detailed Explanation From Exact Extract:

“Identity as the perimeter” is a core principle of Zero Trust Architecture (ZTA). Rather than relying on traditional network-based perimeters, access is granted based on user identity and device posture. This is essential for remote users accessing cloud workloads, ensuring secure authentication regardless of physical location.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Zero Trust and Identity-Centric Security”:

“Zero Trust shifts the trust boundary from the network to the user and device identity. ‘Identity as the perimeter’ ensures only verified users and devices are granted access to resources.”

Other options:

A. Secure service edge (SSE) is a broad cloud security model, but not a specific ZTA principle.

B. CASBs monitor cloud app usage, not core access authentication.

C. Principle of least privilege is a supporting concept, but not the primary perimeter defense mechanism.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

PF_RING is a high-performance packet capture and filtering framework that allows IDS systems to handle large volumes of traffic efficiently. By offloading and filtering out traffic that is known and trusted (such as HTTPS traffic from a patch server), the IDS can focus on analyzing critical traffic and reduce dropped packets.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Traffic Filtering and IDS Performance Optimization”:

“Advanced filtering solutions like PF_RING allow offloading of known trusted traffic, reducing processing overhead on IDS systems and improving visibility into meaningful events.”

Other options:

A. Directly configuring the IDS to ignore traffic may bypass too much, affecting visibility.

C. BPF filters on the tap itself may interfere with other systems using the tap.

D. Disabling the IDS temporarily removes all visibility — a poor security practice.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

To better secure administrative interfaces, the best practice is to isolate them from the production network by connecting the management ports to a separate, dedicated management network. This prevents unauthorized access from devices or users on the production subnet and reduces the attack surface.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Securing Network Infrastructure”:

“Management interfaces should be placed on a separate out-of-band management network, providing physical and logical separation from user and data traffic.”

This ensures that only trusted devices on the management network can access the administrative interfaces.

Other options:

B. Disabling unused ports is good practice but does not address the segregation of management traffic.

C. Placing admin interfaces and production traffic on the same VLAN exposes them to potential internal threats.

D. Firmware upgrades are important for security patches but do not isolate the interface.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

SD-WAN (Software-Defined Wide Area Network) enables private, encrypted connections over public internet links and supports policy-based routing for application-aware traffic steering. It offers centralized management, redundancy, and automatic path selection — all aligned with the stated requirements.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Software-Defined Networking and WAN Optimization”:

“SD-WAN uses secure tunnels over the public internet, supports dynamic path selection, and provides application-aware routing, making it ideal for multi-site enterprise connectivity without dedicated links.”

Other options:

A. MPLS requires dedicated circuits and is costly.

C. Site-to-site VPN provides security but lacks intelligent traffic steering.

D. ExpressRoute is a private connection to Azure, not suited for general internet-based multi-site connectivity.

Comprehensive and Detailed Explanation From Exact Extract:

A Secure Web Gateway (SWG) provides cloud-based traffic filtering, URL filtering, SSL decryption, and content inspection without requiring traffic to be routed through an on-premises data center. It is ideal for both remote and hybrid users, enforcing security policies in a distributed environment.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud-Based Security Solutions”:

“Secure Web Gateways allow cloud-hosted decryption and inspection of web traffic, enabling policy enforcement for remote and on-campus users without backhauling traffic to the data center.”

Other options:

B. Transit gateways connect VPCs and on-prem but don’t decrypt traffic.

C. VPNs provide encrypted tunnels but don’t inspect traffic.

D. IPS inspects traffic but is usually on-prem and not cloud-hosted.

E. NAC is used for access control, not traffic inspection.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

The local machine has the IP address 10.21.12.8 and the physical address 1A-21-11-33-44-5A.However, the ARP table shows that 10.21.12.8 is mapped to a different MAC address (1A-21-11-31-74-4C), meaning another device on the network is responding to ARP requests for the same IP. This is a clear sign of an IP address conflict, which would prevent the workstation from functioning properly on the network.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Troubleshooting IP Addressing Issues”:

“An IP conflict occurs when two devices on the same network are assigned the same IP address. Symptoms include connectivity loss, duplicate ARP entries, and inconsistent routing behavior.”

Other options:

A. Asynchronous routing refers to packets taking different return paths, which is unrelated to ARP inconsistencies.

C. DHCP server issues would affect IP assignment but are not indicated here — the workstation has an IP address assigned.

Comprehensive and Detailed Explanation From Exact Extract:

According to the structured troubleshooting methodology outlined in the CNX-001 objectives, once a potential root cause is identified (in this case, a suspected firmware bug), the next step is to test the theory to confirm the cause before taking action. This helps prevent misdiagnosis and unnecessary configuration changes.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Structured Troubleshooting Methodology”:

“After identifying symptoms and forming a theory of probable cause, the next step is to test the theory to verify it is the actual cause of the problem.”

Other options:

A. Establishing a plan of action comes after confirming the cause.

C. Documenting lessons learned is the final step.

D. Implementing the solution should only occur after the issue is confirmed.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

To accommodate 200 devices in IT and 2,000 devices in Sales, subnetting must allow for appropriate address allocation:

/22 provides 1,024 addresses → sufficient for IT (200 users)

/15 provides 65,536 addresses → more than sufficient for Sales (2,000 users)

Option C ensures both departments are placed in separate, appropriately sized segments within the private 10.0.0.0/8 range.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “IP Addressing and Subnetting”:

“Proper subnetting ensures sufficient host addresses and supports future growth. Network segmentation improves manageability and security.”

Other options:

A. /30 provides only 2 usable IPs — insufficient for IT.

B & D: /24 and /25 do not support 2,000 users in Sales.

B & D also misallocate resources inefficiently.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A 403 Forbidden error indicates that the request was understood by the server but is refusing to fulfill it due to insufficient authorization. The developer is attempting to call a protected API that requires valid credentials such as an access key and signature (often used in HMAC-based APIs), but the values appear as Postman variables (e.g., {{rapyd_access_key}}), which suggests they were not replaced with actual credentials.

This typically means that the request lacks proper authentication or authorization headers, or the keys/signature are incorrect or missing. The presence of access_key, signature, salt, and timestamp in the request implies the API requires authentication, but the variables were not resolved or valid.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “API Security and Authentication”:

“A 403 error typically results from failed authentication or lack of proper authorization. Developers must ensure that tokens or signatures are valid, not missing, and properly injected.”

Other options:

A. 404 is the code for a missing resource, not 403.

C. A firewall rule would block the request entirely (e.g., no response or a 0 status), not result in a 403 from the server.

D. HTTP redirection issues typically result in 3xx codes, not 403.

Comprehensive and Detailed Explanation From Exact Extract:

To meet the requirement of restricting inbound traffic and allowing outbound traffic, two components are most appropriate:

D. Firewall – A firewall enforces ingress and egress traffic policies. It can be configured to deny all inbound traffic by default and allow all outbound traffic, meeting the security policy requirement.

E. Network Security Group (NSG) – In cloud environments such as Azure, NSGs serve as virtual firewalls at the subnet or interface level. NSGs allow you to define rules that block or allow inbound and outbound traffic, and they are the preferred method for enforcing network access rules for cloud resources.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Cloud Network Security Configuration”:

“Network security groups and firewalls are key to enforcing inbound and outbound traffic restrictions in hybrid and public cloud environments.”

“NSGs are used to define network access control policies for cloud resources at the subnet or NIC level.”

Other options:

A. Application gateway controls HTTP/S traffic at Layer 7 but does not manage full access policy.

B. IPS detects/prevents malicious behavior but is not primarily used for general traffic restriction.

C. Port security restricts MAC addresses on switch ports, applicable in LANs, not cloud.

F. A screened subnet (DMZ) can provide additional isolation but is not required for basic traffic control.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A SIEM (Security Information and Event Management) solution ingests log data from multiple sources, correlates events, detects anomalies, and generates alerts based on predefined or dynamic rules. This makes SIEM the ideal solution for centralized logging and real-time threat detection.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Security Monitoring and Log Correlation”:

“SIEM platforms aggregate, normalize, and analyze logs from diverse sources, providing real-time alerts and incident response support.”

Other options:

A. Syslog is a transport protocol — it doesn’t correlate or alert.

B. Event log monitoring is limited to individual systems.

C. Log management stores logs but doesn’t perform analysis or alerting.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A data lake is ideal for aggregating structured and unstructured data at scale. It supports storage and analysis of logs, performance metrics, and other telemetry data from various sources. Data lakes enable advanced analytics and machine learning for decision support.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Data Aggregation and Analytics”:

“Data lakes allow storage and analysis of high-volume, diverse data types, including logs and monitoring data. They support enterprise-wide visibility and strategic decision-making.”

Other options:

A. Relational databases are optimized for structured data and are less scalable for log aggregation.

B. CDNs deliver content, not used for data aggregation.

C. CIEM (Cloud Infrastructure Entitlement Management) governs cloud permissions, not logging.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Data Loss Prevention (DLP) solutions scan messages and file transfers for sensitive data patterns, such as credit card numbers or social security numbers. DLP can block, log, or alert when such information is detected attempting to leave the organization.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Data Protection and Compliance Controls”:

“DLP systems identify and restrict the transmission of sensitive data such as credit card numbers, enforcing organizational data handling policies.”

Other options:

A. IDS detects threats but doesn’t enforce data content policies.

B. Egress filtering restricts destinations but not content.

D. Encryption protects data in transit, not its content compliance.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Adding video surveillance that is focused on the cabinet enhances physical security by providing monitoring, deterrence, and forensic evidence in case of unauthorized access. Video surveillance complements existing layered access controls and is a recognized best practice for protecting high-value network assets.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Physical Security Controls”:

“Video surveillance provides 24/7 monitoring and records of physical access to critical infrastructure, supporting audit and incident investigation processes.”

Other options:

A. A statement of work is administrative and does not enhance physical security.

C. CISO accompaniment is impractical and not scalable.

D. Background checks are useful but are generally a prerequisite and not a real-time security control.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A SIEM (Security Information and Event Management) system aggregates logs from various sources, including cloud environments, and provides real-time analytics, threat detection, and automated alerting. It integrates with cloud workloads via agents or APIs and enables centralized visibility and response capabilities.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Security Monitoring and Event Correlation”:

“SIEM solutions consolidate logs from multiple environments, including cloud and on-premises, providing automated detection, alerting, and correlation of security events.”

“A SIEM supports compliance and improves incident response through real-time monitoring.”

Other options:

A. IDS/IPS are used for intrusion detection/prevention but do not provide log consolidation or alert correlation.

C. Data lakes store large volumes of data but lack real-time alerting without additional tools.

D. Syslog is a protocol for log transport, not a detection and alerting mechanism.

Comprehensive and Detailed Explanation From Exact Extract:

An Allow List (also known as Whitelisting) is the most restrictive firewall rule approach. It blocks all traffic by default and only permits explicitly defined trusted IPs, URLs, or applications. This minimizes the attack surface and ensures that only known, safe traffic is allowed into the network.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Firewall and Security Rule Configuration”:

“Whitelisting or Allow Listing enforces a default-deny security posture by permitting only specified trusted sources. This approach offers the highest level of control and reduces exposure to unknown threats.”

Other options:

A. URL filtering restricts content access but is not as strict as allow lists.

B. File blocking targets malicious payloads but doesn’t limit traffic sources.

C. Network Security Groups (NSGs) are effective but broader in scope; they use allow/deny rules but may not be as tightly controlled as explicit allow lists.

Comprehensive and Detailed Explanation From Exact Extract:

SD-WAN (Software-Defined Wide Area Networking) is ideal for enterprises that want to simplify WAN management, reduce operational overhead, and optimize connectivity to cloudservices. SD-WAN provides intelligent traffic routing, dynamic path selection, and direct-to-cloud access without backhauling traffic through a central data center.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “SD-WAN and Cloud Connectivity”:

“SD-WAN enables efficient cloud access from branch offices and simplifies management through centralized policy control. It is cost-effective and reduces the need for complex hardware configurations and manual routing.”

Other options:

B. Adds latency and overhead by backhauling through headquarters.

C. MPLS is expensive and less flexible than SD-WAN.

D. Dark fiber is high-cost and not scalable for cloud-first architectures.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Geofencing allows enforcement of access policies based on the geographic location of the user's IP address. To comply with GDPR and control access based on user region, geofencing should be implemented to restrict or permit access to resources hosted in specific regions like Europe.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Data Sovereignty and Regional Access Control”:

“Geofencing enables organizations to restrict access to data or services based on geographic IP address, aiding in GDPR and other compliance frameworks.”

Other options:

A. SASE is a broader framework, not a direct access control mechanism.

B. NSGs operate at subnet/NIC level and do not interpret geolocation.

C. CDNs cache data globally but don’t control access by region directly.

================================================