CompTIA CNX-001 Exam Practice Questions to Pass CompTIA CloudNetX Exam

Question 1

End users are getting certificate errors and are unable to connect to an application deployed in a cloud. The application requires HTTPS connection. A network solution architect finds that a firewall is deployed between end users and the application in the cloud. Which of the following is the root cause of the issue?

AThe firewall on the application server has port 443 blocked.

BThe firewall has port 443 blocked while SSL/HTTPS inspection is enabled.

CThe end users do not have certificates on their laptops.

DThe firewall has an expired certificate while SSL/HTTPS inspection is enabled.

Answer : D

When SSL inspection is turned on, the firewall intercepts and re-signs HTTPS traffic with its own certificate. If that certificate has expired, end users will see certificate errors even though port 443 is open and the backend application's certificate is valid.

Question 2

A network architect must ensure only certain departments can access specific resources while on premises. Those same users cannot be allowed to access those resources once they have left campus. Which of the following would ensure access is provided according to these requirements?

AEnabling MFA for only those users within the departments needing access

BConfiguring geofencing with the IPs of the resources

CConfiguring UEBA to monitor all access to those resources during non-business hours

DImplementing a PKI-based authentication system to ensure access

Answer : B

By defining an IP-based geofence around the on-premises network addresses where those resources reside, you ensure that only users connecting from inside the campus IP ranges can reach them. As soon as the same users leave that network (and thus fall outside the geofenced IP block), access is automatically denied.

Question 3

A company has a 40Gbps network that uses a network tap to inspect the traffic using an IDS. The IDS usually performs normally except when the servers are downloading patches from their local update repository 10.10.10.139 using HTTPS. During the patch windows, the IDS cannot handle the extra load and drops a significant number of packets. Which of the following would allow a network engineer to prevent this issue without compromising the network visibility?

AConfiguring the IDS to ignore traffic from 10.10.10.139

BUsing PF_RING offload to filter out 'host 10.10.10.139 and port 443'

CAdding a 'dst host 10.10.10.139' BPF on the tap

DScheduling a cron job to stop the IDS service during the patch window

Answer : C

By applying a Berkeley Packet Filter to drop only the HTTPS patchrepo traffic before it reaches the IDS, you relieve the processing burden during patch windows while preserving full visibility for all other flows. This avoids reconfiguring the IDS itself or losing visibility across the rest of the network.

Question 4

A network administrator must connect a remote building at a manufacturing plant to the main building via a wireless connection. Which of the following should the administrator choose to get the greatest possible range from the wireless connection? (Choose two.)

A2.4GHz

B5GHz

C6GHz

DOmnidirectional antenna

EPatch antenna

FBuilt-in antenna

Answer : A, E

2.4 GHz: The lower-frequency 2.4 GHz band propagates farther and better penetrates obstacles than 5 GHz or 6 GHz, giving you greater link distance.

Patch antenna: A directional (patch) antenna focuses RF energy into a narrow beam, maximizing gain and range between two fixed points -- the best for a long-haul wireless link.

Question 5

A network engineer needs to implement a cloud native solution. The solution must allow the recording of network conversation metadata of the host and appliances attached to a VPC. Which of the following will accomplish these goals with the least effort?

AEnabling network flow

BConfiguring SNMP traps

CImplementing QoS network tagging

DInstalling a cloud monitoring agent

Answer : A

Enabling VPC (or equivalent) flow logs is the native, zero-agent way to capture metadata about every network conversation, source/destination IPs, ports, protocols, bytes transferred, across both hosts and managed appliances in your virtual network. It requires minimal setup (just a checkbox or API call) and scales automatically with your VPC.

Question 6

A customer asks a MSP to propose a ZTA design for its globally distributed remote workforce. Given the following requirements:

Authentication should be provided through the customer's SAML identity provider.

Access should not be allowed from countries where the business does not operate.

Secondary authentication should be added to the workflow to allow for passkeys.

Changes to the user's device posture and hygiene should require reauthentication into the network.

Access to the network should only be allowed to originate from corporate-owned devices.

Which of the following solutions should the MSP recommend to meet the requirements?

AEnforce certificate-based authentication.
Permit unauthenticated remote connectivity only from corporate IP addresses.
Enable geofencing.
Use cookie-based session tokens that do not expire for remembering user log-ins.
Increase RADIUS server timeouts.

BEnforce posture assessment only during the initial network log-on.
Implement RADIUS for SSO.
Restrict access from all non-U.S. IP addresses.
Configure a BYOD access policy.
Disable auditing for remote access.

CChain the existing identity provider to a new SAML.
Require the use of time-based one-time passcode hardware tokens.
Enable debug logging on the VPN clients by default.
Disconnect users from the network only if their IP address changes.

DConfigure geolocation settings to block certain IP addresses.
Enforce MFA.
Federate the solution via SSO.
Enable continuous access policies on the WireGuard tunnel.
Create a trusted endpoints policy.

Answer : D

Federate the solution via SSO ensures authentication is handled by the customer's SAML identity provider.

Enforce MFA supports secondary authentication with passkeys.

Configure geolocation settings to block certain IP addresses prevents access from unauthorized countries.

Enable continuous access policies on the WireGuard tunnel forces re-authentication whenever device posture or hygiene changes.

Create a trusted endpoints policy restricts access to corporate-owned devices only.

Question 7

An administrator needs to add a device to the allow list in order to bypass user authentication of an AAA system. The administrator uses MAC filtering and needs to discover the device's MAC address to accomplish this task. The device receives an IP address from DHCP, but the IP address changes daily. Which of the following commands should the administrator run on the device to locate its MAC address?

Aipconfig /all

Bnetstat -an

Carp -a

Dnslookup

Answer : A

Running ipconfig /all on the device will display the physical (MAC) address of each network adapter, allowing you to copy the correct MAC for your allow-list entry.

CompTIA CloudNetX Certification Exam CNX-001 Practice Questions