Exam 300-710 topic 1 question 60 discussion

I believe the answer may be D https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_site_to_site_vpns.html#:~:text=When%20you%20want%20to%20bypass%20the%20inspection%20of%20decrypted%20traffic%2C%20follow%20these%20steps%20to%20enable%20the%20sysopt%20connection%20permit%2Dvpn%20option

"If you use FTD on FP4100/9300 and want the flow to completely bypass the Snort inspection then consider the Prefilter rule with Fastpath action (see the related section in this document)" https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html#toc-hId--311118177

the correct answer is C. Configure the Cisco Firepower devices to ignore the VPN traffic using prefilter policies. Prefilter policies are specifically designed to handle scenarios like this, where you want to bypass deeper inspection for certain types of traffic, such as VPN traffic, to conserve resources. Option A, configuring the devices to bypass access control policies for VPN traffic, would not achieve the same result because access control policies are not designed to handle the bypassing of inspection processes in the same way prefilter policies do.

key "not wasting resources on inspecting the VPN traffic" prefilter is right before ACP, thus to save resources, prefilter is much effective although ACP is doing same but happens after prefilter. 5-Tuple ACL -- prefilter is recommended by Cisco. google 5 tuple with prefilter.

Option C will be correct IF Site-to-site VPN traffic that is going through the device. That is, the device is not an endpoint in the VPN topology. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/access-prefilter.html#id_23357:~:text=Site%2Dto%2Dsite%20VPN%20traffic%20that%20is%20going%20through%20the%20device.%20That%20is%2C%20the%20device%20is%20not%20an%20endpoint%20in%20the%20VPN%20topology. Flows cannot be offloaded if IPsec and TLS/DTLS VPN connections that terminate on the device https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/access-prefilter.html#id_23357:~:text=IPsec%20and%20TLS/DTLS%20VPN%20connections%20that%20terminate%20on%20the%20device So I will choose A which is the easiest way to bypass VPN traffic for inspection.

I would choose A

Just configure ACP to "Trust" and the traffic will not be inspected

A. Configure the Cisco Firepower devices to bypass the access control policies for VPN traffic. By configuring the Cisco Firepower devices to bypass the access control policies for VPN traffic, the devices will not perform security inspection on the VPN traffic, which will help to conserve resources. This can be done by creating an access control rule that matches the VPN traffic and then setting the action to "Trust". This will allow the traffic to bypass the access control policies and not consume resources.

A : inside VPN S2S config (tunnel) can you find option "Access Control for VPN Traffic" - Bypass Access Control policy for decrypted traffic (sysopt permit-vpn), that is it !!

A is correct answer. Check the following article. https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/prefiltering_and_prefilter_policies.html#id_31063 According to the article there are limitations to what type of traffic can be offloaded to fastpath. In the above article it is stated that "IPsec and TLS/DTLS VPN connections that terminate on the device" cannot be offloaded.

I agree with C. Prefilter policies fit what is asked better I think

C is more appreciate an answer

Its either A or C - im going for C. The problem with A is that if we bypass ACPs, then we not only bypass inspection, but also "ACL" control of traffic - entire encryption domains will be allowed. My problem with C is the use of the word "ignore". We do not want to "ignore" the VPN traffic, we just want to pass it though without inspection. C seems to be more correct - im guessing "ignore" is supposed to mean "ignore inspection" - terrible phrasing once more from Cisco.

Could be A or C. 50/50 chance here