Which statement about firewall policies versus ACL rules best reflects the material?

Firewall policies are written at a higher level of abstraction than ACLs, organizing rules by business intent and centralizing management. This makes the overall access control easier to grasp because you see what is allowed or blocked in terms of the intended outcome, not in terms of low-level details. ACL entries, by contrast, are granular and device-specific, piling up as many individual permissions with exact source/destination addresses, ports, and interfaces. As the rule set grows, it becomes harder to read, audit, and modify at a glance, which is why the statement that they are easier to understand best reflects the material. While ACLs can be very precise, their complexity often reduces clarity, whereas policy-based approaches promote readability and easier management.