Deployment of Local DMZ Policy Rule

C.

When deploying a local DMZ (Demilitarized Zone) on a Cisco Next-Generation Firewall (NGFW) through the Cisco Firepower Management Center (FMC) GUI, the default policy rule that is included is option B, which is "deny ip any."

A DMZ is a network segment that is isolated from the internal network and the internet. It contains services that need to be publicly accessible, such as web servers, email servers, and FTP servers. The purpose of a DMZ is to add an extra layer of security to the network by keeping these services separate from the internal network and limiting access to them.

When deploying a local DMZ on a Cisco NGFW, the default policy rule is to deny all traffic to and from the DMZ segment. This means that no traffic is allowed from the DMZ to the internal network or from the internet to the DMZ unless explicitly allowed by policy rules.

Option A, which is a default DMZ policy for which only a user can change the IP addresses, is not included in the deployment of a local DMZ during the initial deployment of a Cisco NGFW through the Cisco FMC GUI. This option may be customized by the user depending on the specific needs of their organization.

Option C, which is "no policy rule is included," is not correct. A DMZ requires policy rules to be defined in order to allow or deny traffic between the DMZ and other network segments.

Option D, which is "permit ip any," is not a secure option for a DMZ. This rule would allow all traffic to and from the DMZ, which defeats the purpose of having a DMZ in the first place. The default policy for a DMZ should always be to deny all traffic and then explicitly allow only the traffic that is necessary for the services hosted in the DMZ.