The correct answer is B. A Positive Control Model is allow-list oriented: the administrator explicitly permits approved traffic or behavior, and everything else is blocked by default or by cleanup. This is the classic firewall access-control model and is stronger for minimizing attack surface. A Negative Control Model is block-list oriented: the system blocks known bad or unwanted traffic while allowing what is not explicitly blocked. This model is common in controls such as Application Control, URL Filtering, and Threat Prevention categories where known applications, sites, malware, bots, or exploit signatures are identified and blocked. Option A reverses and distorts the model. Option C reverses the definitions. Option D is nonsense and not a technical security model. The exam lesson is that firewall Access Control is primarily positive-control driven, while many inspection/prevention features use negative-control logic against known bad categories or signatures. Reference topics: Security Policy Management, Access Control design, Cleanup Rule, allow-list versus block-list enforcement.