Exam 350-701 topic 1 question 366 discussion

I would go with A and E sfr {fail-open | fail-close [monitor-only]} <- There's a couple different options here. The first one is fail-open which means that if the Firepower software module is unavailable, the ASA will continue to forward traffic. fail-close means that if the Firepower module fails, the traffic will stop flowing. While this doesn't seem ideal, there might be a use case for it when securing highly regulated environments. The monitor-only switch can be used with both and basically puts the Firepower services into IDS-mode only. This might be useful for initial testing or setup.

Fail-open let's traffic flow if sourcefire module is unavailable, monitor-only does not intercept traffic and makes the module to an IDS

Correct, please update website

FirePOWER IDS/IPS is designed to examine the network traffic and identify any malicious patterns (or signatures) that indicate a network/system attack. FirePOWER module works in IDS mode if the ASA's service-policy is specifically configured in monitor mode (promiscuous) else, it works in Inline mode. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-firepower-services/200451-Configure-Intrusion-Policy-and-Signature.html

The module is operating in IPS mode. This is indicated by the fact that the "mode" is specified as "fail-open", which is the default mode for IPS deployments. Traffic continues to flow if the module fails. This is also indicated by the fact that the "mode" is specified as "fail-open", which means that traffic will be allowed to pass through even if the module is not operational. The monitor-only is an alert type of config not for IDS. :)

Monitor-only means IDS. 100% sure.

It's A,E

@leowulf Agree with u