Exam 300-710 topic 1 question 20 discussion

I'm thinking D, because of "common rule" reference. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-intrusion.html#:~:text=Only%20the%20most%20critical%20rules%20that%20block%20traffic%20are%20enabled.

The question is poorly worded. I think everyone here knows the differences. Just the question was written in a way to confuse people. Default should be Balanced. Only if you want minimum disruptions - go with Connectivity. As a start, you should do it in Balanced + IDS mode. Bad wording for a questio.

In this context, A. Balanced Security and Connectivity is indeed the best choice, as it provides a balance between security and allowing network traffic, which is ideal for an initial trial phase. D. Connectivity Over Security is more focused on ensuring maximum network connectivity, possibly at the expense of security, and might not be suitable if you want to test Snort rules effectively. So, Balanced Security and Connectivity remains the recommended default policy for your scenario. If you have any further questions or need additional clarification, feel free to ask!

I think its A, balanced security over connectivity. While D does allow the majority of traffic to pass, the question ends with "by default". Answer A, Balanced Security and Connectivity, is the default and still allows most traffic to pass.

Answer A As the Connectivity Over Security policy does prioritize allowing network traffic to pass with minimal restrictions. However, for testing common Snort rules while still maintaining a reasonable level of security, the Balanced Security and Connectivity policy is generally more appropriate. It strikes a good balance between security and performance, ensuring that you can test the rules effectively without compromising too much on security. If the primary goal is to ensure maximum network traffic flow with minimal interference, then Connectivity Over Security could be considered. However, this might not provide enough security controls to effectively test the Snort rules.

The default policy that should be used in this scenario is "Balanced Security and Connectivity". This policy provides a balanced approach to security and network connectivity, allowing common traffic to pass while still detecting threats using a set of predefined rules, including common Snort rules. The "Security Over Connectivity" and "Maximum Detection" policies are more restrictive and may block legitimate traffic, while "Connectivity Over Security" is less secure and may allow malicious traffic to pass.

For testing

This should be a "No-Brainer" but I am really surprised so many think A is the answer. The answer is 100% Text Book - D. connectivity over security. It's the text book use case.

I'd go with A because based on the article "Balanced Security and Connectivity" is a good starting point: "These policies are built for both speed and detection. Used together, they serve as a good starting point for most networks and deployment types. The system uses the Balanced Security and Connectivity network analysis policy as the default." The question states that the engineer is setting up a new deployment so there you go. https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-intrusion.html

The Connectivity Over Security policy prioritizes network connectivity over security and allows traffic to pass through with a minimal number of intrusion detection rules applied. This would be appropriate for testing common Snort rules while still allowing most network traffic to pass through. However, it is important to note that this policy may not provide the highest level of security and should only be used for testing purposes. It is recommended to use a policy that provides a balance between security and connectivity or prioritizes security once the testing phase is complete

Key word here is default settings. By using the "Balanced Security and Connectivity" policy as a starting point, the organization can test common Snort rules while still allowing most traffic to pass, and then adjust the policy as needed based on the results of the testing and the specific needs of the organization.

These policies are built for both speed and detection. Used together, they serve as a good starting point for most networks and deployment types. The system uses the Balanced Security and Connectivity network analysis policy as the default.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-intrusion.html

The answer should be 'A', Balanced is a good starting point, this is noted in the question.

Correct answer is: D

The key phrase is "allowing the majority of network traffic to pass" so I will go with Connectivity over Security

Balanced Security and Connectivity – A compromise of speed and detection Connectivity over Security – Used when connectivity is more important. Only the most critical rules are enabled Security over Connectivity – When connectivity is the secondary concern. Enables most rules. May result in higher false positives Maximum detection – Every rule is turned on, and will likely result in false positives. Best to only use this for labs and testing No Rules Active – All rules are disabled. Would generally only be used as a template