Hi there guys,
I'm currently looking over some material for the CCSA (have been particularly aided by ExamTopics - excellent for practice exam questions and actually free, thank God) and have come across a questions regarding conflict resolution within Security Policies.
"What are the three conflict resolution rules in the Threat Prevention Policy Layers?"
"Conflict on action, conflict on exception, and conflict on settings"
After doing a bit of reading up on these conflict resolution rules, I was particularly perplexed by the description for the Conflict on Exception which reads (CCSA R80.10 guide page 407 - I know this is a bit outdated as we're at R81.10 now... maybe this has changed?):
"Conflict on exception: The exceptions for a specified scope is different between layers. The action taken will be the most liberal, or least restrictive."
Can anyone explain why, if the conflict on action opts for the most restrictive option when a conflict occurs, the conflict on exception vouches for the least restrictive option? This seems to me like it might dangerously expose the system? Any insight is greatly appreciated.
Thanks Check Mates, 🍻