CNX-001 CompTIA CloudNetX Exam Questions and Answers

Comprehensive and Detailed Explanation From Exact Extract:

When building infrastructure for business units that process financial transactions (such as in the retail or banking sector), the architect must first understand all relevant compliance and regulatory requirements. These may include PCI DSS, SOX, or GDPR, depending on the nature of the data and jurisdiction. These regulations influence design decisions regarding encryption, segmentation, data retention, and logging.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Compliance and Regulatory Considerations”:

“Regulatory requirements such as PCI DSS, HIPAA, and others dictate the security controls, logging, data protection, and architectural design of infrastructure handling sensitive or financial data.”

Other options:

B. Statement of Work defines project scope, but doesn't include legal/compliance mandates.

C. Business case studies illustrate value or ROI, not security or compliance needs.

D. Internal reference architectures may help with standards but are based on already defined requirements.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

“Identity as the perimeter” is a core principle of Zero Trust Architecture (ZTA). Rather than relying on traditional network-based perimeters, access is granted based on user identity and device posture. This is essential for remote users accessing cloud workloads, ensuring secure authentication regardless of physical location.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Zero Trust and Identity-Centric Security”:

“Zero Trust shifts the trust boundary from the network to the user and device identity. ‘Identity as the perimeter’ ensures only verified users and devices are granted access to resources.”

Other options:

A. Secure service edge (SSE) is a broad cloud security model, but not a specific ZTA principle.

B. CASBs monitor cloud app usage, not core access authentication.

C. Principle of least privilege is a supporting concept, but not the primary perimeter defense mechanism.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A mesh topology provides multiple redundant paths between nodes. It offers the highest availability and fault tolerance by allowing communication to continue even if one or more links or nodes fail. This is especially important in rural healthcare systems where reliability and access to critical services are paramount.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Network Topologies and Redundancy Models”:

“Mesh topologies provide optimal fault tolerance and support consistent data transmission through redundant links, ideal for mission-critical systems.”

Other options:

A. Collapsed core is cost-efficient but not fully redundant.

B. Hub-and-spoke introduces a single point of failure at the hub.

D. Star also relies on a central node and is not fault tolerant.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Infrastructure as Code (IaC) templates (e.g., Terraform, CloudFormation, ARM templates) allow for automated and repeatable VM deployments with preconfigured settings, includingnetworking, without requiring console access. This approach ensures consistency, security, and compliance.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Infrastructure as Code and Cloud Automation”:

“IaC enables declarative definition of cloud resources, supporting automated deployments that comply with organizational security and configuration policies.”

Other options:

B. SDKs require more complex coding and are less standardized.

C. API scripts are procedural and require manual management.

D. CLI is suitable for one-time use but not for repeatable deployments at scale.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Reference architectures are pre-defined templates or blueprints provided by vendors, standardsbodies, or industry alliances (e.g., NIST, CIS, vendor frameworks) that define recommended practices for secure and reliable infrastructure design. They help ensure alignment with compliance, security controls, and industry-recognized configurations.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Architecture Standards and Security Best Practices”:

“Reference architectures guide the implementation of secure, scalable, and compliant infrastructure. They embody industry best practices and reduce misconfiguration risks in cloud and hybrid environments.”

Other options:

B. Licensing agreements pertain to software usage rights, not security alignment.

C. SLAs define service expectations, not design standards.

D. MOUs are informal agreements between parties, not technical or security frameworks.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Layer 2 client isolation ensures that devices connected to the same wireless network (such as a guest SSID) cannot communicate with each other or other VLANs. This prevents guest users from scanning or attacking internal devices. It’s a fundamental security control for guest Wi-Fi access.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Wireless Network Segmentation and Security”:

“Client isolation prevents peer-to-peer attacks over Wi-Fi by ensuring wireless clients cannot communicate with one another, a necessary control on shared guest networks.”

Other options:

B. MAC filtering is easy to spoof and hard to manage at scale.

C. Strong passwords improve access control but don’t isolate guest traffic.

D. Captive portals add a registration layer but don’t address VLAN or broadcast isolation.

Comprehensive and Detailed Explanation From Exact Extract:

A Content Delivery Network (CDN) distributes content across geographically distributed edge locations to provide faster access and higher quality to users, especially in areas with suboptimal connectivity to central data centers. By caching and serving content from edge servers near users, CDNs reduce latency and improve streaming performance globally.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “CDN and Cloud Edge Services”:

“CDNs provide globally distributed edge nodes for content caching and delivery, ensuring low-latency, high-bandwidth access for end users regardless of their location.”

Other options:

A. Reduces quality, contrary to the stated goal.

B. DNS-based routing helps with direction but does not solve content delivery or bandwidth issues.

C. Load balancers help distribute traffic locally, but do not provide edge caching or bandwidth optimization.

Comprehensive and Detailed Explanation From Exact Extract:

nmap -A performs aggressive scanning, which includes OS detection, version detection, script scanning, and traceroute — exactly what is required in this case. It's the most effective and commonly used tool for comprehensive network reconnaissance prior to security testing.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Security Scanning and Reconnaissance Tools”:

“Nmap supports comprehensive scanning options, including OS fingerprinting, service version detection, and port scanning, enabling detailed pre-penetration testing assessments.”

Other options:

A. tcpdump is for packet capture, not scanning.

C. nc (netcat) is a port scanning tool, but it lacks OS/app detection.

D. hping3 is a packet generator, not suitable for full-service scanning.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

RADIUS (Remote Authentication Dial-In User Service) is the best-fit protocol for this requirement. It supports both authentication and authorization and is widely used in Wi-Fi network environments for client device authentication using credentials stored in centralized directories such as Active Directory.

RADIUS integrates seamlessly with enterprise authentication sources and supports EAP (Extensible Authentication Protocol), making it compatible with Wi-Fi-based client devices. It also allows for role-based access control, enabling policy enforcement specific to device types (e.g., inventory scanners).

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — “Authentication and Authorization Technologies”:

“RADIUS provides centralized authentication, authorization, and accounting (AAA) services and is commonly used for securing wireless access in conjunction with Active Directory.”

“Organizations use RADIUS to manage Wi-Fi authentication for user devices and enforce security policies during access attempts.”

Using a RADIUS server with 802.1X on the Wi-Fi infrastructure allows the scanners (and their users) to be authenticated against Active Directory and mapped to the correct authorization policies. TACACS+ is geared toward device management, LDAP alone doesn’t handle the Wi-Fi 802.1X handshake, and PKI by itself wouldn’t provide the user-to-device authorization flow needed. RADIUS gives you both authentication and authorization tied into AD.

Comprehensive and Detailed Explanation From Exact Extract:

According to the standard CompTIA troubleshooting methodology, once the issue has been identified and a solution has been implemented (e.g., failing over traffic to the backup link), the next logical step is to verify full system functionality. This ensures that the backup path is working as intended and that services have resumed properly for the users.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Troubleshooting Process”:

“After implementing the solution, it is critical to verify full system functionality to ensure the resolution has addressed the problem without causing unintended consequences.”

Other options:

A. Documenting lessons learned is the final step.

B. The plan of action should have been created before the failover.

C. Identifying the problem already occurred earlier in the scenario.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Spanning Tree Protocol (STP) is a Layer 2 protocol that prevents loop conditions in redundant switch topologies. It automatically disables redundant links in a controlled way, allowing one active path at a time. When a switch fails, STP recalculates and activates an alternate path. In this case, loops are detected, but no broadcast storms occurred, indicating that STP is not in place or not configured properly. Implementing STP is a low-cost and effective solution to resolve these issues.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Switching Technologies and Loop Prevention”:

“STP prevents switching loops by dynamically identifying and disabling redundant paths. When a link failure occurs, STP re-converges to restore network connectivity.”

“STP is an essential protocol in redundant Layer 2 topologies to avoid broadcast and loop issues.”

Other options:

A. A Layer 3 switch adds routing functionality but does not prevent Layer 2 loops.

B. VLANs segment broadcast domains but do not inherently prevent physical loops.

D. Tagging (e.g., VLAN tagging) helps with segmentation but not with loop prevention.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

When SSL/HTTPS inspection is enabled on a firewall, it intercepts and decrypts HTTPS traffic. This requires the firewall to present its own trusted certificate to the client device. If that certificate is expired, the client browser will display a certificate error and block access to the application. This is a common misconfiguration that breaks HTTPS communication.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “TLS/SSL Inspection and Certificate Management”:

“SSL inspection appliances must have valid certificates installed. Expired or untrusted certificates will result in browsers rejecting the HTTPS session and displaying errors to users.”

Other options:

A. Would prevent connection, but not result in certificate errors.

B. Blocked port 443 would prevent any connection, not cause cert errors.

C. Client-side certificates are not required unless mutual TLS is configured, which is not stated here.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A Web Application Firewall (WAF) is primarily used for inspecting HTTP/HTTPS requests and filtering out malicious traffic, such as SQL injection or cross-site scripting (XSS) attacks. However, WAFs do not restrict access based on geographical location by default.

To control access to the cloud-hosted application based on geographical location, the correct measure is to implement geo-restriction (geo-blocking). This technique limits access to cloud-based resources by using the source IP’s geographical origin. Geo-restriction is typically enforced at the cloud firewall or load balancer level.

Relevant Extract from CompTIA CloudNetX CNX-001 Official Objectives:

“Cloud access control policies can enforce geo-restriction settings, ensuring applications and services are only accessible from authorized geographic regions.”

Also found under “Security Controls in Cloud Deployments” section:

“Geo-restriction uses IP geolocation data to restrict access to services based on geographic criteria, supporting compliance and security requirements.”

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Since the subnet and IPs were changed recently, and users are accessing the database through a web application, the likely issue is that DNS records have not been updated to reflect the new IP addresses. If DNS is pointing to old IPs, users will fail to reach the services even if they are up and reachable on the new subnet.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “DNS and Network Configuration Troubleshooting”:

“DNS misconfiguration is a common issue following IP address changes. If DNS entries are not updated accordingly, clients will attempt to reach services at outdated IPs.”

Other options:

A. No indication of web server misconfiguration is provided.

B. Firewall issues would affect all users, not just one.

D. The web server has a valid IP in the subnet range; no misconfiguration is indicated.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Traffic mirroring allows a copy of network traffic — including headers and payloads — to be sent to an analysis tool or appliance for deep packet inspection. This is essential for security analysis, network troubleshooting, and performance diagnostics in cloud environments.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Packet Capture and Network Flow Monitoring”:

“Traffic mirroring enables the capture of full packet data, including payloads, for forensic or performance analysis within cloud networks.”

Other options:

A. Application monitoring focuses on app-level metrics, not packet inspection.

B. Syslog is log-based, not for inspecting packets.

D. Network flows (e.g., NetFlow, VPC flow logs) provide metadata (source, destination, size) but not full packet content.

Comprehensive and Detailed Explanation From Exact Extract:

Adding video surveillance that is focused on the cabinet enhances physical security by providing monitoring, deterrence, and forensic evidence in case of unauthorized access. Video surveillance complements existing layered access controls and is a recognized best practice for protecting high-value network assets.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Physical Security Controls”:

“Video surveillance provides 24/7 monitoring and records of physical access to critical infrastructure, supporting audit and incident investigation processes.”

Other options:

A. A statement of work is administrative and does not enhance physical security.

C. CISO accompaniment is impractical and not scalable.

D. Background checks are useful but are generally a prerequisite and not a real-time security control.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Runbooks and knowledge base articles provide step-by-step instructions for resolving common issues, helping new employees quickly become productive with minimal supervision. These documents can be updated as new issues arise and serve as a foundational training and operational resource.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Operational Documentation and Knowledge Transfer”:

“Runbooks contain standardized procedures for handling recurring operational tasks. Knowledge base articles enable consistent troubleshooting and resolution with minimal oversight.”

Other options:

A. A Statement of Work (SOW) is used for defining project deliverables, not training.

C. Network diagrams are useful for understanding architecture, but not for operational procedures.

D. A mentor program can help, but it doesn’t scale or provide immediate troubleshooting steps.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Privileged Access Management (PAM) is the optimal solution to control, audit, and secure administrative access to systems and services. PAM enables role-based approval workflows, time-limited access, auditing, and credential rotation, fully aligning with the requirements.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Identity and Access Controls”:

“Privileged Access Management allows fine-grained control over administrator-level access, supports just-in-time access provisioning, password rotation, and audit logging.”

Other options:

B. Session-based tokens allow temporary access but do not enforce policies or auditing.

C. Conditional access provides policy enforcement based on context but lacks full PAM features.

D. ACLs control access to resources but don’t manage privilege workflows or audits.

Comprehensive and Detailed Explanation From Exact Extract:

A. CI/CD pipelines — Continuous Integration and Continuous Deployment (CI/CD) pipelines allow automated and repeatable deployments of infrastructure and application code. This ensures consistency across environments and supports rapid, reliable updates to multiple environments simultaneously.

B. Public code repository — A public repository (e.g., GitHub, GitLab public projects) allows sharing code with the broader community of practice, enabling collaboration, peer review, and reuse. It supports version control and standardized deployment scripts (e.g., Terraform, Ansible).

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Infrastructure as Code and Automation Pipelines”:

“CI/CD pipelines enable automated, consistent deployments across environments, reducing manual configuration errors.”

“Public repositories facilitate code sharing and collaboration, supporting standardized infrastructure templates.”

Other options:

C. Deployment runbooks are static and not inherently automated.

D. Private repositories restrict sharing, conflicting with the requirement to share code.

E. Image deployment refers to server builds, not full network configuration.

F. Deployment guides are manual documents, not automation tools.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A SIEM (Security Information and Event Management) solution ingests log data from multiple sources, correlates events, detects anomalies, and generates alerts based on predefined or dynamic rules. This makes SIEM the ideal solution for centralized logging and real-time threat detection.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Security Monitoring and Log Correlation”:

“SIEM platforms aggregate, normalize, and analyze logs from diverse sources, providing real-time alerts and incident response support.”

Other options:

A. Syslog is a transport protocol — it doesn’t correlate or alert.

B. Event log monitoring is limited to individual systems.

C. Log management stores logs but doesn’t perform analysis or alerting.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

The local machine has the IP address 10.21.12.8 and the physical address 1A-21-11-33-44-5A.However, the ARP table shows that 10.21.12.8 is mapped to a different MAC address (1A-21-11-31-74-4C), meaning another device on the network is responding to ARP requests for the same IP. This is a clear sign of an IP address conflict, which would prevent the workstation from functioning properly on the network.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Troubleshooting IP Addressing Issues”:

“An IP conflict occurs when two devices on the same network are assigned the same IP address. Symptoms include connectivity loss, duplicate ARP entries, and inconsistent routing behavior.”

Other options:

A. Asynchronous routing refers to packets taking different return paths, which is unrelated to ARP inconsistencies.

C. DHCP server issues would affect IP assignment but are not indicated here — the workstation has an IP address assigned.

Comprehensive and Detailed Explanation From Exact Extract:

Geofencing is a network access control method that enforces restrictions based on location data. In this scenario, the organization requires access to be permitted only when users are on premises (i.e., within a specific physical location). Geofencing can be implemented using source IP ranges or GPS-based location data to define boundaries (fences). This allows access to certain applications or services only when the user is inside a designated network or area.

MFA (Option A) provides identity assurance but does not enforce physical location-based restrictions.

UEBA (Option C) provides behavioral analytics but is not used for real-time access control.

PKI (Option D) provides identity validation through certificates but is not location-aware.

Relevant Extract from CompTIA CloudNetX CNX-001 Official Study Guide:

“Geofencing allows organizations to define physical or logical boundaries that restrict or allow access based on user location. Policies can be configured to allow access only when users are on a trusted campus or corporate network, denying requests originating from outside the geofenced area.”

Covered under the topic: “Access Control Technologies and Identity Enforcement Mechanisms.”