Free CompTIA CNX-001 Practice Exam with Questions & Answers | Set: 2

Comprehensive and Detailed Explanation From Exact Extract:

D includes all the key elements of Zero Trust:

MFA (Multi-Factor Authentication) supports secondary passkey-based authentication.

Geolocation settings enforce geo-restrictions.

SSO federation allows use of an existing SAML identity provider.

Continuous access policies support dynamic reauthentication based on changes in posture.

Trusted endpoint policies ensure only corporate-owned, compliant devices are allowed to connect.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Zero Trust Architecture and Identity Management”:

“ZTA enforces continuous access policies that monitor session state, posture, and user behavior.”

“Federated identity with SSO and posture-based trust evaluation are core ZTA components.”

“Geo-restrictions and trusted endpoint policies limit exposure and enforce device compliance.”

Other options:

A uses static session tokens and disables timely expiration, violating Zero Trust principles.

B allows BYOD and disables auditing, which conflicts with compliance and monitoring.

Comprehensive and Detailed Explanation From Exact Extract:

To allow private IP-based communication between internal servers and cloud applications over asite-to-site VPN, private DNS resolution is necessary. The internal DNS server can be configured to forward specific DNS queries (for cloud-based applications) to a DNS server located in the cloud. This ensures applications can be resolved to private IPs, not public ones.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Hybrid Networking and DNS Integration”:

“To support name resolution over hybrid connections like site-to-site VPN, enterprises should configure conditional forwarding to cloud-based DNS servers. This allows internal devices to resolve private IP addresses for cloud-based resources.”

Other options:

B. NAT introduces complexity and may hide source IPs, which is not required in this case.

C. Public DNS names map to public IPs, violating the requirement.

D. A proxy is not needed if direct private IP-based access is available via VPN.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

Network Access Control (NAC) evaluates the posture of a device before allowing access to the network. It can enforce security policies, authenticate users and devices, and isolate or remediate non-compliant devices. NAC is widely used in enterprise environments to secure access at the network edge, such as in guest or public areas.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Access Control and Posture Assessment”:

“NAC provides device authentication, security posture validation, and can enforce automated remediation or quarantine actions based on policy compliance.”

Other options:

A. IPS detects and prevents known threats but does not perform access control or posture checks.

B. Microsegmentation isolates workloads but lacks posture checks and auto-remediation.

Comprehensive and Detailed Explanation From Exact Extract:

A Content Delivery Network (CDN) distributes content across geographically distributed edge locations to provide faster access and higher quality to users, especially in areas with suboptimal connectivity to central data centers. By caching and serving content from edge servers near users, CDNs reduce latency and improve streaming performance globally.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “CDN and Cloud Edge Services”:

“CDNs provide globally distributed edge nodes for content caching and delivery, ensuring low-latency, high-bandwidth access for end users regardless of their location.”

Other options:

A. Reduces quality, contrary to the stated goal.

B. DNS-based routing helps with direction but does not solve content delivery or bandwidth issues.

C. Load balancers help distribute traffic locally, but do not provide edge caching or bandwidth optimization.

Comprehensive and Detailed Explanation From Exact Extract:

SD-WAN (Software-Defined Wide Area Network) enables private, encrypted connections over public internet links and supports policy-based routing for application-aware traffic steering. It offers centralized management, redundancy, and automatic path selection — all aligned with the stated requirements.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Software-Defined Networking and WAN Optimization”:

“SD-WAN uses secure tunnels over the public internet, supports dynamic path selection, and provides application-aware routing, making it ideal for multi-site enterprise connectivity without dedicated links.”

Other options:

A. MPLS requires dedicated circuits and is costly.

C. Site-to-site VPN provides security but lacks intelligent traffic steering.

D. ExpressRoute is a private connection to Azure, not suited for general internet-based multi-site connectivity.

Comprehensive and Detailed Explanation From Exact Extract:

Runbooks and knowledge base articles provide step-by-step instructions for resolving common issues, helping new employees quickly become productive with minimal supervision. These documents can be updated as new issues arise and serve as a foundational training and operational resource.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Operational Documentation and Knowledge Transfer”:

“Runbooks contain standardized procedures for handling recurring operational tasks. Knowledge base articles enable consistent troubleshooting and resolution with minimal oversight.”

Other options:

A. A Statement of Work (SOW) is used for defining project deliverables, not training.

C. Network diagrams are useful for understanding architecture, but not for operational procedures.

D. A mentor program can help, but it doesn’t scale or provide immediate troubleshooting steps.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

nmap -A performs aggressive scanning, which includes OS detection, version detection, script scanning, and traceroute — exactly what is required in this case. It's the most effective and commonly used tool for comprehensive network reconnaissance prior to security testing.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Security Scanning and Reconnaissance Tools”:

“Nmap supports comprehensive scanning options, including OS fingerprinting, service version detection, and port scanning, enabling detailed pre-penetration testing assessments.”

Other options:

A. tcpdump is for packet capture, not scanning.

C. nc (netcat) is a port scanning tool, but it lacks OS/app detection.

D. hping3 is a packet generator, not suitable for full-service scanning.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

A. CI/CD pipelines — Continuous Integration and Continuous Deployment (CI/CD) pipelines allow automated and repeatable deployments of infrastructure and application code. This ensures consistency across environments and supports rapid, reliable updates to multiple environments simultaneously.

B. Public code repository — A public repository (e.g., GitHub, GitLab public projects) allows sharing code with the broader community of practice, enabling collaboration, peer review, and reuse. It supports version control and standardized deployment scripts (e.g., Terraform, Ansible).

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “Infrastructure as Code and Automation Pipelines”:

“CI/CD pipelines enable automated, consistent deployments across environments, reducing manual configuration errors.”

“Public repositories facilitate code sharing and collaboration, supporting standardized infrastructure templates.”

Other options:

C. Deployment runbooks are static and not inherently automated.

D. Private repositories restrict sharing, conflicting with the requirement to share code.

E. Image deployment refers to server builds, not full network configuration.

F. Deployment guides are manual documents, not automation tools.

================================================

Comprehensive and Detailed Explanation From Exact Extract:

To accommodate 200 devices in IT and 2,000 devices in Sales, subnetting must allow for appropriate address allocation:

/22 provides 1,024 addresses → sufficient for IT (200 users)

/15 provides 65,536 addresses → more than sufficient for Sales (2,000 users)

Option C ensures both departments are placed in separate, appropriately sized segments within the private 10.0.0.0/8 range.

Relevant Extract from CompTIA CloudNetX CNX-001 Study Guide — under “IP Addressing and Subnetting”:

“Proper subnetting ensures sufficient host addresses and supports future growth. Network segmentation improves manageability and security.”

Other options:

A. /30 provides only 2 usable IPs — insufficient for IT.

B & D: /24 and /25 do not support 2,000 users in Sales.

B & D also misallocate resources inefficiently.

================================================