An engineer defines a new rule while configuring an Access Control Policy. After deploying the policy, the rule is not working as expected and the hit counters associated with the rule are showing zero. What is causing this error?
A.
An incorrect application signature was used in the rule.
B.
The wrong source interface for Snort was selected in the rule.
If, "After deploying the policy, the rule is not working as expected", because the rule was not enabled, then C. If it's "not working as expected" because you selected the incorrect application signature, then A. If it's "not working as expected" because it's not logging, then D. I pray I don't encounter this vague question!
I'll go with D, just to add to the turmoil.
I would say C because of this:
The policy hit count is incremented only for the first packet of a connection that matches a policy.
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/getting_started_with_access_control_policies.html
An application takes more than the first packet to be identified, so this is only based on source/dest IP, ports and protocol. Even if the application was incorrect, it would increase hits based on this.
When you add a rule in ACP, the default state is Enabled and I suspect the same is on most if not all firewalls from different vendors (Forti and Palo for sure).
Logging might be a cause but the scenario says that also it is not functioning as expected - so it is not an issue related only to logs
When you create an access control rule, it is enabled by default.
https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/access_control_rules.html
I agree - Even if the signature was incorrect it would result in low matches or wrong matches, but not zero hit counters unless traffic is not using the app at all.
Only A. Incorrect Application signature: Lets say you want to block facebook, and instead facebook you used Facebook games.
B and D makes no sense
C: Rules are enabled by default, only SNORT rules need to be enabled (drop and generate events, generate events,...) to take action.
The correct answer is C. The most likely cause of the error is that the rule was not enabled after being created. By default, new rules are created in a disabled state, which means that they do not take effect until they are explicitly enabled. If the rule is not enabled, it will not be matched against traffic and the hit counters associated with the rule will remain at zero.
What ? When you create ACL rule you do no ned to enable it ?!. If there is no hits in counter, that means the traffic did not match the criteria: source IP, destination IP, URL, application,... So C is not the one. I think you are refering to SNORT rules and that is not the case here
Joe, i have just checked the new rules are not created in a disabled state (at least in my case). I still go with answer C because of hit count.
upvoted 1 times
...
...
This section is not available anymore. Please use the main Exam Page.300-710 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
d0980cc
3 months agoPata311
5 months, 1 week agoSilexis
4 months, 1 week agoeafea4f
11 months, 1 week agoz6st2a1jv
1 year, 7 months agobassfunk
1 year, 10 months agoNian
1 month, 3 weeks agoInitial14
2 years, 2 months agogwb
1 year, 3 months agoJoe_Blue
2 years, 3 months agoInitial14
2 years, 2 months agoBbb78
2 years agonever1
2 years ago