A Note Before You Begin

This is not about remembering port numbers or which protocol does what. This is about proving you understand the role of network security in enforcing business intent. When you configure a firewall, you're not just opening ports—you’re defining trust. You're drawing the line between exposure and resilience.

That’s why the CISSP exam tests your ability to interpret policy, not just traffic.

Stay sharp!

Luke Ahmed

Rymar Tech’s internal security audit revealed that a perimeter firewall rule allowed inbound traffic to a legacy server using any source IP and any source port, as long as it was destined for TCP port 8443. Although no breach occurred, the auditor flagged the rule as a critical misconfiguration. The rule was originally added to meet a time-sensitive vendor requirement.

As the security manager, what should you recommend to align firewall configurations with long-term security policy

A. Require quarterly firewall rule reviews by the operations team

B. Remove the rule immediately and block all vendor access until the risk is reassessed

C. Replace the rule with a limited allowlist of vendor IP addresses and source ports

D. Establish a formal firewall change control process with approval and expiration dates

Think Like a Manager

This is not about rewriting a single rule. It’s about fixing the process that allowed a risky rule to go live without oversight. The exam is asking if you understand the difference between tactical fixes and long-term governance.

A CISSP doesn’t just plug holes. They close the valve upstream.

Why the Other Choices Fall Short

A. Quarterly reviews are helpful, but they’re too infrequent and reactive to catch critical changes before they become a risk. Review is not prevention.

B. Removing the rule without context could disrupt business. Security has to be part of the solution, not an obstacle. Blocking access without coordination invites conflict, not compliance.

C. Limiting IPs is a technical improvement, but it's still tactical. It doesn’t solve the policy failure that allowed the risky rule in the first place.

CISSP Core Concept: Process over Panic

Security is not just what’s configured. It’s how configuration changes are approved, tracked, and reviewed. A firewall rule should never be created in a vacuum. There should be a request, a justification, a risk assessment, and an expiration date.

That is how you scale trust in an enterprise environment.

You’re not just guarding ports. You’re guarding the decision process that controls them.