What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $49 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

Domain 3: Security ArchitectureDomain 4: Security Operations10 min read

How to Solve Firewall Configuration PBQs on Security+

Firewall configuration PBQs test your ability to create, modify, and troubleshoot access control rules. This guide teaches you the systematic approach to building ACLs that meet security requirements while maintaining business functionality.

Try a Free PBQ

Interactive simulation — no account required

What Is a Firewall Configuration PBQ?

Firewall configuration PBQs present you with a scenario describing network security requirements and ask you to build or modify access control list (ACL) rules to meet those requirements. You'll work with a simulated firewall interface where you create rules specifying source IPs, destination IPs, ports, protocols, and actions (allow/deny).

These questions test whether you understand how firewalls actually work—not just the theory, but the practical skill of translating security policies into working rules. You might be asked to:

Create rules to allow specific traffic while blocking everything else
Implement a DMZ configuration with appropriate access controls
Troubleshoot why legitimate traffic is being blocked
Configure rules that follow the principle of least privilege
Order rules correctly so they process in the intended sequence

Rule Order Matters

Firewalls process rules top-to-bottom and stop at the first match. A common exam trap is placing a broad "deny all" rule before specific "allow" rules, which blocks everything. Always place specific rules before general rules.

The 5-Step Method for Firewall PBQs

Firewall PBQs can seem overwhelming with multiple requirements. Break them down systematically:

Identify the traffic flows. Read the scenario and list every connection that needs to happen. Web server needs to be accessible from the internet on port 443. Database server needs to accept connections from the web server on port 3306. Admins need SSH access from the internal network.

Determine the zones. Identify which systems are in which network zones: Internet (untrusted), DMZ (semi-trusted), Internal (trusted). Traffic rules differ based on zone boundaries.

Apply least privilege. For each required flow, create the most specific rule possible. Don't allow "any" source when you can specify a subnet. Don't allow "any" port when you only need 443.

Order rules correctly. Place specific rules first, general rules last. Deny rules that block specific threats go before broad allow rules. The implicit "deny all" at the bottom catches everything else.

Verify with the scenario. Walk through each requirement and trace the traffic through your rules. Does the first matching rule produce the correct action? Check for gaps and conflicts.

Common Firewall Rule Patterns

The Security+ exam expects you to recognize and implement these standard configurations:

Web Server Access

Allow inbound HTTP/HTTPS from any source to the web server, but nothing else.

ALLOW TCP ANY → 10.0.1.50:443
DENY ANY ANY → 10.0.1.50

Database Isolation

Database only accepts connections from the application tier, never directly from internet.

ALLOW TCP 10.0.1.0/24 → 10.0.2.10:3306
DENY ANY ANY → 10.0.2.10

Management Access

SSH/RDP only from specific admin workstations or jump boxes.

ALLOW TCP 10.0.0.5 → ANY:22
DENY ANY ANY → ANY:22

Outbound Filtering

Internal hosts can browse web but not use unauthorized protocols.

ALLOW TCP 10.0.0.0/8 → ANY:80,443
DENY TCP 10.0.0.0/8 → ANY:ANY

Understanding ACL Syntax

While the exam uses a simplified interface, understanding the logic behind ACL syntax helps you think through problems correctly. Every firewall rule has the same basic components:

Action — What to do when traffic matches: ALLOW (permit) or DENY (block). Some firewalls also support LOG to record matching traffic without blocking it.

Protocol — The network protocol: TCP, UDP, ICMP, or ANY. Web traffic is TCP. DNS uses both TCP and UDP. Ping uses ICMP.

Source — Where the traffic originates. Can be a single IP (10.0.0.5), a subnet (10.0.0.0/24), or ANY for all sources.

Destination — Where the traffic is going. Same format as source.

Port — The service port number. HTTP is 80, HTTPS is 443, SSH is 22, RDP is 3389, MySQL is 3306. Can specify a single port, range (1024-65535), or ANY.

Walkthrough: Building a DMZ Firewall Policy

Let's work through a realistic scenario. A company has a web server in the DMZ that needs to be publicly accessible and must connect to an internal database. Administrators need SSH access from the internal network only.

ACL Configuration — Perimeter FirewallCreate rules to meet all security requirements

#	Action	Proto	Source	Destination	Port	Description
1	ALLOW	TCP	ANY	10.0.1.50	443	Public HTTPS to web server
2	ALLOW	TCP	ANY	10.0.1.50	80	Public HTTP (redirects to HTTPS)
3	ALLOW	TCP	10.0.1.0/24	10.0.2.10	3306	DMZ web server to internal DB
4	ALLOW	TCP	10.0.2.0/24	10.0.1.50	22	Admin SSH from internal only
5	DENY	ANY	ANY	10.0.2.0/24	ANY	Block internet to internal network
6	DENY	ANY	ANY	ANY	ANY	Implicit deny all (default)

ALLOWPermit traffic

DENYBlock traffic

Critical security rule

Analysis

Rules 1-2: Allow public web access to the DMZ web server (10.0.1.50). We allow both 80 and 443 so HTTP requests can be redirected to HTTPS.

Rule 3: The web server needs to query the database. We allow only port 3306 (MySQL) from the DMZ subnet (10.0.1.0/24) to the database server (10.0.2.10)—not the reverse.

Rule 4: Administrators need SSH access to the web server, but only from the internal network (10.0.2.0/24). External SSH attempts will hit rule 6.

Rule 5: Explicit deny preventing any direct internet access to the internal network (10.0.2.0/24). Even if we missed something above, this catches it.

Rule 6: The implicit deny-all ensures anything not explicitly permitted is blocked. This is defense in depth.

Why this order matters: The specific allows must come before the broad denies. If rule 5 came first, it would block the legitimate database connection in rule 3.

Practice Firewall Configuration

Build your own ACL rules with our interactive firewall simulator.

Try a Free PBQ

Common Mistakes to Avoid

These errors cost points on the exam:

Using ANY when you should be specific — If the requirement says "web server," specify its IP, not ANY destination
Forgetting rule order — A deny rule placed too early blocks traffic you meant to allow
Confusing source and destination — For inbound web traffic, the internet is the source, your server is the destination
Missing protocols — TCP and UDP are different. DNS needs UDP 53 for queries, TCP 53 for zone transfers
Blocking return traffic — Stateful firewalls handle this automatically, but know that responses need a path back
Overly permissive rules — "Allow any any" solves connectivity but fails security requirements
Not reading the full scenario — Requirements often have multiple parts. Check each one against your rules.

Port Numbers You Must Know

The exam expects instant recall of common ports. Here are the ones that appear most frequently in firewall PBQs:

Web Services: HTTP (80), HTTPS (443). Always allow 443 for secure web traffic; 80 is often allowed only for redirect.

Email: SMTP (25), SMTPS (465/587), POP3 (110), POP3S (995), IMAP (143), IMAPS (993).

File Transfer: FTP (20/21), SFTP (22), FTPS (989/990), SMB (445).

Remote Access: SSH (22), RDP (3389), Telnet (23—should be blocked).

Database: MySQL (3306), PostgreSQL (5432), MSSQL (1433), Oracle (1521).

DNS & Directory: DNS (53), LDAP (389), LDAPS (636), Kerberos (88).

Monitoring: SNMP (161/162), Syslog (514), NTP (123).

Frequently Asked Questions

What is a firewall configuration PBQ on the Security+ exam?

A firewall configuration PBQ gives you a network scenario with specific security requirements and asks you to create or modify firewall rules (ACLs) to meet those requirements. You'll typically work with a simulated interface to specify source IPs, destination IPs, ports, protocols, and allow/deny actions.

How are firewall rules processed?

Firewall rules are processed top-to-bottom. When traffic arrives, the firewall checks each rule in order and applies the first matching rule. This is why rule order matters—a broad deny rule placed before specific allow rules will block traffic you intended to permit.

What does implicit deny mean?

Implicit deny means that any traffic not explicitly allowed by a rule is automatically blocked. Most firewalls have an invisible "deny all" rule at the bottom of the rule list. This is a security best practice—you define what's allowed, and everything else is denied by default.

Should I memorize port numbers for the Security+ exam?

Yes. The exam expects you to know common service ports without reference material. At minimum, memorize HTTP (80), HTTPS (443), SSH (22), RDP (3389), DNS (53), SMTP (25), FTP (21), and common database ports. Port knowledge is essential for firewall PBQs.

Other PBQ Types

Log Analysis Network Diagrams PKI & Certificates Access Control

Practice What You've Learned

Apply these concepts with an interactive Firewall Configuration simulation.

Try a Free PBQ →