Exam 350-701 topic 1 question 125 discussion

A is the answer as the Q specifies without using metadata

The Demon Queen sees you all are overthinking this XD. This question is to throw you off and took me time to get why its netflow and checked multiple sources. An administrator is trying to determine which applications are being used in the network but does not want the network devices to send metadata to Cisco Firepower. Which feature should be used to accomplish this? As in the question says we want to know what apps are being used on the network. However they throw you off by saying "but does not want the network devices to send metadata to Cisco Firepower.". Ask your self, Why do we care about Cisco FirePower in this question? We don't as we want to know what apps are on the network. By using netflow you have the network devices including firepower sending flow data out to be analyzed to other devices to analyze, but not sending data to the firepower device. They never said firepower could not be used as a sensor. The key word here is not "send" to firepower, but nothing about sending from firepower

Answer A

It cannot be D as Netflow is concerned with metadata.

I prefer A

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Network_Discovery_Policies.html The network discovery policy has a single default rule in place, configured to discover applications from all observed traffic. The rule does not exclude any networks, zones, or ports, host and user discovery is not configured, and the rule is not configured to monitor a NetFlow exporter. This policy is deployed by default to any managed devices when they are registered to the Firepower Management Center. To begin collecting host or user data, you must add or modify discovery rules and re-deploy the policy to a device.

As long the questions indicates that no metada is required the answer is A - https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/white-paper-c11-736595.html Netflow are based on metadata - https://learning.oreilly.com/library/view/ccna-cyber-ops/9780134608938/ch04.html#ch04lev1sec1

I am eliminating D

Opt for A. Cisco doc says Applications can be discovered by "non-NetFlow discovery rules" without Option D You can disable detection of application protocols in discovery rules configured to monitor NetFlow exporters, but not in discovery rules configured to monitor Firepower System managed devices. If you enable host or user discovery in non-NetFlow discovery rules, applications are automatically discovered. https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/working_with_discovery_events.html

keyword network devices = switch / router therefore netflow. Network Discover usually is PC client send out

An Overview of the NetFlow Protocol: NetFlow is a protocol used to collect metadata on IP traffic flows traversing a network device. Developed by Cisco Systems, NetFlow is used to record metadata about IP traffic flows traversing a network device such as a router, switch, or host

Someone below gave an example that Netflow operates with metadata and if we don't want to send them to Cisco FMC then we need to select Netflow as the answer, simple as 123. And yes, you can discover applications by network discoveries by Firepower. Just checked in real production environment

i would go with A here. Because the Network Discovery feature on the FMC/FTD/Firepower stuff works like a passive monitor. The Firewalls are looking into the traffic which is passing through them and use the information they get from there to build up host information you can view from within FMC. So there is no need to send (active do something) metadata the firewalls can get this passively by using network discovery policy.

Correct answer is A: Question asks for "Firepower", I wish they would specify but I believe they are refering to ASA with firePOWER not FTD. If they say Firepower, cisco usually also includes Threat Defense so its for the ASA. The ASA does know about are on the network using network discovery and can be view in ASDM without (also a key, the question asks "but does not want to send metadata") so it has to be network discovery

I think the answer is A. As Netflow used metedata to analysise the flow. Rather than always relying on full packet capture, protocols like NetFlow and IPFIX can generate valuable metadata for less-intensive network monitoring. This metadata is similar to how your phone bill shows your calls, displaying the source, destination and volume rather than showing the actual content of the conversations. With this information, you can gain useful insights at a lower impact on your network management strategy. But which approach or metadata protocol is right for your network monitoring needs?

I think A is not true because its based on metadata from firepower by default With NetFlow you can detect applications without metadata at firepower.

- A "The network discovery policy has a single default rule in place, configured to discover applications from all observed traffic." https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Network_Discovery_Policies.html