Exam 300-710 topic 1 question 52 discussion

The correct answers are actually C and E: C. They block traffic based on Security Intelligence data. Access control policies on Cisco Firepower systems can block connections based on the latest IP address, URL, and domain name reputation intelligence. E. The system performs a preliminary inspection on trusted traffic to validate that it matches the trusted parameters. The system performs a preliminary inspection on trusted traffic to ensure it matches the trusted parameters before allowing it through. Option A is not correct because traffic inspection is not typically interrupted temporarily when configuration changes are deployed.

I think the key is "Access Control Policies" here. A - "Changing the total number of intrusion policies used by an access control policy restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection." This is how ACP works along with Intrusion Policy. B - This is correct (ACL layer 3 -> SI -> ACL layer7 ->File policy -> Intrusion policy) Intrusion policy is after the file policy. However this is NOT relevant to ACP. C - SI can block the traffic, but this is NOT also relevant to ACP. D - File Policy and Intrusion Policy with variable set are for Inspection. So this should be like this "Intrusion policy use an associated variable set to perform inspection. E - Technically this is right before a packet goes into Snort from Firewall. But I count this as ACP behavior. So A and E

"... Changing the total number of intrusion policies used by an access control policy restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. ..." from this https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/getting_started_with_access_control_policies.html#ID-2176-00000027

Not B because file policy is before inspection policy Not D because variables belong to inspection policy Not E because there is zero inspection on trusted traffic That leaves it with A and C.

A is correct BUT the traffic is dropped - the way they worded this it looks like traffic is permitted - no, traffic is dropped. Still C and E are the other options for me.

C. They block traffic based on Security Intelligence data. E. The system performs a preliminary inspection on trusted traffic to validate that it matches the trusted parameters.

Correct answer is: A and C

My opinion is A and B, Security inteligence it is another engine which blocks trafic by it self, not ACP block it with corresponding with SE

C and E make the most sense to me. We're all agreed on C, but SNORT doesn't always restart when policies are deployed and it isn't a "way" that ACPs operate. A trust rule within an ACP will use parameters to specify traffic such as IP, Port, etc... The firewall does need to inspect traffic that much to see that the traffic is trusted and then allow it without further SNORT inspection.

like 4study explained

It seems to be A and C When deploying changes SNORT can restart causing traffic interuptions --> https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/policy_management.html#reference_F11C552688424DEF85ED145FA97283B7 I disagree with D because File policies don't make use of Variable sets, those are used for Intrusion policies.

The correct answer is C and D.A does not make any sense to be correct.