Exam 300-710 topic 1 question 112 discussion

The only answer here that is the closest to correct is B. All other can't be right. A--> You transform IPS to IDS, B ---> There might be some problems in request/reply in DNS communication and IPS will block it. C---> This does not make sense, if you disable Threshold, the rule will be triggered X times more. D ----> No sense in that

To address the issue of DNS responses not getting through the Cisco FTD while still utilizing Snort IPS rules, the network administrator should modify the Snort rules to allow legitimate DNS traffic to the VPN users. Snort is an intrusion detection and prevention system that can be used to detect and prevent malicious traffic. However, in some cases, Snort rules may block legitimate traffic, such as DNS responses, causing connectivity issues for VPN users.

correct answer???which?

A. Uncheck the "Drop when Inline" box in the intrusion policy to allow the traffic -> Seems to be the best option, since it only will generate an event afterwards but lets the traffic pass B. Modify the Snort rules to allow legitimate DNS traffic to the VPN users -> Traffic is already allowed, as the response is not getting to the VPN user C. Disable the intrusion rule thresholds to optimize the Snort processing -> This doesnt make any sense for the shown problem D. Decrypt the packet after the VPN flow so the DNS queries are not inspected -> The packet is already decrypted, since the FTD is the vpn endpoint I would go with A

All answers are a bit strange to me. We know that the DNS query is going through the firewall, since the problem is the DNS response not going through the firewall. B makes the most sense, but it would then be the DNS response that triggers the snort triggered drop(?). Thats a bit strange, but plausible.

Sorry I mean why is the answer not D?

Why would'nt it be B?