An engineer is troubleshooting application failures through an FTD deployment. While using the FMC CLI, it has been determined that the traffic in question is not matching the desired policy. What should be done to correct this?
A.
Use the system support firewall-engine-debug command to determine which rules the traffic matching and modify the rule accordingly.
B.
Use the system support firewall-engine-dump-user-identity-data command to change the policy and allow the application though the firewall.
C.
Use the system support application-identification-debug command to determine which rules the traffic matching and modify the rule accordingly.
D.
Use the system support network-options command to fine tune the policy.
Correct answer: A. Use the system support firewall-engine-debug command to determine which rules the traffic matching and modify the rule accordingly.
If traffic is not matching the desired policy, the engineer should use the system support firewall-engine-debug command to determine which rules the traffic is matching and modify the rule accordingly. This command provides detailed information about traffic processing, including the rule that the traffic is matching or not matching, and can help the engineer identify issues with the policy configuration.
Option B, using the system support application-identification-debug command, is not relevant to this scenario, as it is used for troubleshooting issues related to application identification.
Option C, using the system support firewall-engine-dump-user-fdensity-data command, is not relevant to this scenario, as it is used for dumping firewall user data and not related to troubleshooting policy matching issues.
Option D, using the system support network-options command, is not relevant to this scenario, as it is used for fine-tuning network settings and not related to troubleshooting policy matching issues.
The system support application-identification-debug command (Option C) is used for debugging issues related to application identification, which can be useful in certain scenarios. However, it is not specifically designed for determining which rules traffic is matching.
The system support firewall-engine-debug command (Option A) is the correct choice because it directly helps identify the specific rules that the traffic is hitting. This allows you to modify the rules accordingly to ensure the traffic matches the desired policy.
The system support application-identification-debug command (Option C) is used for debugging issues related to application identification, which can be useful in certain scenarios. However, it is not specifically designed for determining which rules traffic is matching.
The system support firewall-engine-debug command (Option A) is the correct choice because it directly helps identify the specific rules that the traffic is hitting. This allows you to modify the rules accordingly to ensure the traffic matches the desired policy.
A confirmed under Scenario 3: Traffic Blocked by Application Tag. "The Connection Events, in conjunction with firewall-engine-debug output, shows the reason for the block."
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214577-firepower-data-path-troubleshooting-phas.html#anc9
Im leaning to C, since were troubleshooting application issues, and application-identification-debug shows the matched application in the FMC
upvoted 3 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
tanri04
Highly Voted 1 year, 4 months ago14a1949
Most Recent 1 day, 8 hours ago14a1949
1 day, 8 hours agoachille5
3 months, 1 week agoJoninjimbo
8 months, 3 weeks agoNoUserName1234
1 year, 2 months agoBaumb
1 year, 5 months ago