When a Cisco IOS Zone-Based Policy Firewall is being configured, which two actions can be applied to a traffic class? (Choose two.)

When a Cisco IOS Zone-Based Policy Firewall is being configured, which two actions can be applied to a traffic class? (Choose two.)

• drop
• log
• forward
• hold
• inspect
• copy

Explanation: The three actions that can be applied are inspect, drop,and pass.​
Inspect - This action offers state-based traffic control.
Drop - This is the default action for all traffic. Similar to the implicit deny any at the end of every ACL, there is an explicit drop applied by the IOS to the end of every policy map.
Pass - This action allows the router to forward traffic from one zone to another.

Explanation: The three actions that can be applied are inspect, drop,and pass. The inspect CCP action is similar to the classic firewall ip inspect command in that it inspects traffic going through the firewall and allowing return traffic that is part of the same flow to  pass through the firewall. The drop action is similar to the deny parameter in an ACL. This action drops whatever traffic fits the defined policy. The pass action is similar to a permit ACL statement--traffic is allowed to pass through because it met the criteria of the defined policy statement.

Exam with this question: CCNA Security Chapter 4 Exam Answers
Exam with this question: Module 10: Quiz – Zone-Based Firewalls Network Security
Exam with this question: Network Security 1.0 Practice Final Exam Answers
Exam with this question: Network Defense: Module 6.4.2 Zone-Based Firewalls Quiz