Question 97 - JN0-636 discussion

To modify the configuration to fulfill the requirements, you need to modify the log-all term to add the next term action. The other options are incorrect because:

B) Deleting the log-all term would prevent logging all traffic, which is one of the requirements. The log-all term matches all traffic from any source address and logs it to the system log file1.

C) Adding a term before the log-all term that blocks Telnet would also prevent logging all traffic, because the log-all term would never be reached. The firewall filter evaluates the terms in sequential order and applies the first matching term. If a term before the log-all term blocks Telnet, then the log-all term would not match any traffic and no logging would occur2.

D) Applying a firewall filter to the loopback interface that blocks Telnet traffic would not block inbound Telnet traffic on interface ge-0/0/3, which is another requirement. The loopback interface is a logical interface that is always up and reachable. It is used for routing and management purposes, not for filtering traffic on physical interfaces3.

Therefore, the correct answer is A. You need to modify the log-all term to add the next term action.

The next term action instructs the firewall filter to continue evaluating the subsequent terms after matching the current term. This way, the log-all term would log all traffic and then proceed to the block-telnet term, which would block only inbound Telnet traffic on interface ge-0/0/34. To modify the log-all term to add the next term action, you need to perform the following steps:

Enter the configuration mode: user@host> configure

Navigate to the firewall filter hierarchy: user@host# edit firewall family inet filter block-telnet

Add the next term action to the log-all term: user@host# set term log-all then next term

Commit the changes: user@host# commit

Reference:

log (Firewall Filter Action)

Firewall Filter Configuration Overview

loopback (Interfaces)

next term (Firewall Filter Action)