Exam 300-710 topic 1 question 176 discussion

I first thought, A but it will not block subdomains. Correct answer is C https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214852-block-dns-with-security-intelligence-usi.html#:~:text=DNS%20blacklisting%20with%20SI%20can%20focus%20on%20domains%20like%20%E2%80%9Ccisco.com%E2%80%9D%20without%20the%20need%20to%20worry%20about%20any%20sub%2Ddomains%20or%20changes%20in%20URL.

I will go with C because: "If you plan to use a URL object to match HTTPS traffic in an access control rule, create the object using the subject common name in the public key certificate used to encrypt the traffic. Also, the system disregards subdomains within the subject common name, so do not include subdomain information. For example, use example.com rather than www.example.com. However, please understand that the subject common name in the certificate might be completely unrelated to a web site’s domain name. For example, the subject common name in the certificate for youtube.com is *.google.com (this of course might change at any time). You will get more consistent results if you use the SSL Decryption policy to decrypt HTTPS traffic so that URL filtering rules work on decrypted traffic. Note URL objects will not match HTTPS traffic if the browser resumes a TLS session because the certificate information is no longer available. Thus, even if you carefully configure the URL object, you might get inconsistent results for HTTPS connections. "

AC with URL.

Takes 3 packets to identify url

Answer (C) would be it since the keywords of this questions are: URL + subdomains to be blocked.

In real work, we don't use DNS policy to block certain URL. Only URL filtering (or Umbrella) through FTD is doable. so my answer is A

Tricky questions as both A and C will block but with C the endpoints won't even get the DNS query so I will go with C

I'll go to C because the DNS query occurs first.

Hard requirement to not permit ANY packets from internal clients from reaching the site in the question. Regarging ACP URL Filters: "It takes 3 to 5 packets for the system to identify the application or URL in a connection. Thus, the correct access control rule might not be matched immediately for a given connection. However, once the application/URL is known, the connection is handled based on the matching rule. For encrypted connections, this happens after the server certificate exchange in the SSL handshake." https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-access.html#concept_AA0463A9912F4868B33694E7C0C5648A Means a DNS Policy with a manually-created custom list is likely it.

known bad side, Subdomains, and the packets should not go out. Actually we can achieve this in many ways but for me here, it is DNS.

The key here is " and all subdomains". Only with URL filtering can you for example filter all possible subdomains of www.badsite.com. For EX: .badsite.com will match any site with domein .badsite.com, so malware.badsite.com, crypto.badsite.com,...

an Access Control policy with URL filtering is the most appropriate solution for blocking traffic to a known malware site and its subdomains. This policy allows the network administrator to set rules that specify which traffic is allowed or denied based on factors such as source IP address, destination IP address, protocol, and URL filtering.

Therefore, while a DNS policy can be an effective tool for blocking access to certain types of sites, an Access Control Policy with URL Filtering is a more comprehensive solution for blocking access to a known malware site and ensuring that no packets from any internal client are sent to that site."

Only A is possible.

I believe C is correct - key phrase here is "known bad site"