Exam 300-710 topic 1 question 181 discussion

i have no idea about "inspection policy". in this situation, the reason that blocks dns query is definitely ACP or intrusion policy. I choose A.

Same question question as 301 where the packet-capture is not an option so the correct answer is B.

This question is a crazy since the wording sucks. The question will try to trick you to pick the capture tool using for troubleshooting based on the so called key word "real packets". Well, the connection event viewer uses real packets as well but with a delay of 5 min I guess (default settings). To answer the question in real live scenarios, most of us will go first on the connection event viewer to see what is dropping in particular and from there adjust the ACP. So, as a result I will go for answer (B) as well, since this might be a regular way to troubleshoot, first. As an addition to that you still might want to use the packet capture to analyze "real TIME* traffic.

Troubleshooting Steps: 1-Event Logging 2-Check Traffic Flow 3-Debugging 4-Buffer Logging So this should be starting at the connection events first. So I'd go with - B.

The key words "Real Packets" makes me think packet capture. I'd go with A.

Artificial Intelligence says "A" gathered from 40 sources: "The engineer should use the packet capture tool to check where the traffic is being blocked and adjust the access control or intrusion policy as needed. This is option A. The packet capture tool can be used to capture and analyze real DNS packets to determine where the traffic is being blocked. Once the source of the blockage is identified, the engineer can adjust the access control or intrusion policy as needed to allow DNS traffic to pass through to the servers in the DMZ."

B sounds like the very first step you would take and will tell you why the packet was dropped and the rule that dropped it. Its the one that makes the most sense.

Of course, B, do you want to make your life easier when it comes to troubleshooting? You only need to look at the event logs to discover what happened to the session.

A - A Pcap doesn't tell me which rule is dropping the packet B - Connection events helps to diagnose, but it is likely an ACP (not Inspection) that needs adjusting if ALL DNS requests are hampered. D - lol C - Packet tracer will show whether it's a NAT issue or ACP block issue or route issue.

You can use packet capture tool due "The hosts cannot send DNS queries to servers in the DMZ" The answer is B

Hmmm, I though B at first but now I lean towards A-- as I would check the connection event log first to see what was going on.....but then I re-read the question. It states adjusting the inspection policy in result of the observation. Do they mean the Intrusion inspection or the Access control list? so much ambiguity- I never want to work with these people, ambiguity is one of my pet peeves!

You can see block action in connection events. Example: Reason: URL Block Sec. Inteligence category: URL Malicious . So connections events

A. Use the packet capture tool to check where the traffic is being blocked and adjust the access control or intrusion policy as needed. Using the packet capture tool on the Cisco FTD device is an effective method for troubleshooting connectivity issues. By capturing packets and analyzing them, the engineer can identify where the traffic is being blocked and adjust the access control or intrusion policy as needed. In this case, capturing the real DNS packets can help determine if the packets are being blocked by the FTD device or if there is an issue with the DNS server itself. Once the issue is identified, the engineer can make necessary adjustments to the device policies to allow the traffic to flow properly.

B is correct. You cannot see in a packet-capture why the packet has been dropped. Packet-Tracer sends a real packet, but its not the real DNS-Packet and also doesnt show the reason for beeing blocked if it is a security-intelligence or reputation/category deciscion

I would go for A, since there is a trace option you can choose and you would use the real packet. https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html#anc34