The correct answer is C. The default implicit cleanup action in modern Check Point policy layers is Drop. The implicit cleanup rule is created automatically when a layer is created and is applied when none of the explicit or implied rules in the layer match. Administrators can configure the implicit cleanup action in layer settings, but the secure default for gateways in modern releases is Drop because firewall policies are normally based on a whitelist/positive-control model. Option A is wrong because logging is tracking behavior, not the cleanup enforcement action. Option B is wrong because Reject is not the default implicit cleanup action. Option D is insecure as a default for most firewall layers and is not the default tested here. Best practice is still to add an explicit cleanup rule at the bottom of each Ordered Layer so unmatched traffic handling is visible and loggable. Reference topics: Implicit Cleanup Rule, default Drop action, Ordered Layers, Inline Layers.