Free Updated Cisco 300-610 Actual Exam Questions - Question 2 Discussion
The security team created a new security policy that requires certain types of traffic to be subject to
deep packet inspection The traffic types are
•
internet traffic to application servers
•
internet traffic to corporate users
•
partner network traffic to application servers
•
partner network traffic to corporate users
Where must the next-generation firewalls be inserted to implement the new policy?
Maybe D. Putting the firewall inline between user switches and core cluster lets you handle corporate user traffic efficiently, plus it covers internal flows to app servers better than B, which focuses more on edge traffic.
Thinking about it, I’d go with B here. Placing the firewall inline between the edge router cluster and the core switch cluster should catch all incoming internet and partner traffic to both application servers and corporate users before it spreads inside. That seems to cover all four traffic types in the policy. D might miss some external traffic that goes directly to the core without passing user switches. Also, one-armed setups like A or C wouldn’t fully intercept all flows since they’re not inline. So B makes the most sense for comprehensive deep packet inspection.
Option D also makes sense because placing the firewall between the user switch and core cluster catches all internal user traffic headed to application servers, which option B might miss if traffic doesn’t route through the edge router.
Makes sense to rule out A and C since one-armed insertions usually don’t cover all traffic flows fully. Between B and D, B seems stronger because placing the NGFW inline between the edge router and core switch cluster catches both internet and partner traffic before it spreads inside. D is more limited to user network traffic and might miss some partner flows coming via the edge router. So I’d go with B here.
D imo. Putting the NGFW inline between the user network switch cluster and the core cluster lets you inspect traffic coming directly from users before it hits the core, covering corporate user traffic well. Since partner traffic often connects closer to the core or users, this spot should catch that too. Option B might miss some user-side flows since it’s before the core switch, so D feels more comprehensive for this policy’s scope.
B/D? Since the policy applies to both internet and partner traffic heading to app servers and users, placing NGFW inline between edge router and core switch (B) or between user switches and core (D) could catch all flows. Might depend on traffic flow specifics.
It’s B