This answer is incorrect. Should be answer A. Internet Access Options for Mobile VPN Users For Mobile VPN with IPSec and Mobile VPN with SSL, you have two options for Internet access for your Mobile VPN users: Force all client traffic through tunnel (default-route VPN) The most secure option is to require that all remote user Internet traffic is routed through the VPN tunnel to the Firebox. Then, the traffic is sent back out to the Internet. With this configuration (known as default-route VPN), the Firebox is able to examine all traffic and provide increased security, although it uses more processing power and bandwidth. Allow direct access to the Internet (split tunnel VPN) Another configuration option is to enable split tunneling. With this option, your users can browse the Internet, but Internet traffic is not sent through the VPN tunnel. Split tunneling improves network performance, but decreases security because the policies you create are not applied to the Internet traffic. If you use split tunneling, we recommend that each client computer have a software firewall.

Answer A is correct

Definitely A, the only reason we "default route" BoVPN traffic is so we don't have to buy subscription services on both endpoint FW's, route all traffic through host site allows use of subscription services from single site.

A is correct

A is the correct answer

IT IS A

Dynamic NAT isn't why you'd use a full tunnel over split. Using the default route means all traffic goes through the firebox, rather than just the routes configured by the VPN.

A.Enforce all user traffic make firebox can filter logged and inspection also.

A: Default route VPN allows your Firebox to examine all remote user traffic Default-route (full tunnel) is the most secure option because it routes all Internet traffic from a remote user through the VPN tunnel to the Firebox. Then, the traffic is sent back out to the Internet. With this configuration, the Firebox can examine all traffic and provide increased security. Be aware that this option requires more processing power and bandwidth. If you select Routed VPN traffic in the Mobile VPN with SSL configuration, and you do not force all client traffic through the tunnel (split-tunnel), you must configure the allowed resources for the SSL VPN users. If you select Specify allowed resources or Allow access to all Trusted, Optional and Custom networks, only traffic to those resources is sent through the VPN tunnel. All other traffic goes directly to the Internet and the network that the remote SSL VPN user is connected to. This option can affect your security because any traffic sent to the Internet or the remote client network is not encrypted or subject to the policies you configured on the Firebox.

A is the correct answer. Some Firewall vendors call this "Full Tunnel", meaning all traffic is routed via the VPN to the Firewall for inspection. Split-Tunnel is where only LAN based traffic is routed to the firewall, internet destined traffic doesn't enter the VPN. A is correct

I think the Answer is A

A is the correct answer

"Default-route is the most secure option because it routes all Internet traffic from a remote user through the VPN tunnel to the Firebox. Then, the traffic is sent back out to the Internet. With this configuration, the Firebox can examine all traffic and provide increased security. Be aware that this option requires more processing power and bandwidth."

When you use default-route VPN, a dynamic NAT policy must include the outgoing traffic from the remote network. This allows remote users to browse the Internet when they send all traffic to the Firebox.