nerdexam
Cisco

350-201 · Question #39

350-201 Question #39: Real Exam Question with Answer & Explanation

The correct answer is B. allowed by a configured access policy rule. This question tests how to interpret connection event data in Cisco FMC, specifically identifying the disposition and reason for an ICMP connection.

Network Intrusion Analysis

Question

Refer to the exhibit. What is the connection status of the ICMP event?

Exhibit

350-201 question #39 exhibit

Options

  • Ablocked by a configured access policy rule
  • Ballowed by a configured access policy rule
  • Cblocked by an intrusion policy rule
  • Dallowed in the default action

Explanation

This question tests how to interpret connection event data in Cisco FMC, specifically identifying the disposition and reason for an ICMP connection.

Common mistakes.

  • A. Blocked by an access policy rule would show a 'Block' action in the connection event, not an allow disposition.
  • C. Blocked by an intrusion policy rule would show an 'Intrusion Block' or 'IPS Block' reason, which is separate from access policy rule actions.
  • D. Allowed by the default action would not reference a named access control rule - it would show 'Default Action' as the reason, not a specific rule match.

Concept tested. Cisco FMC connection event interpretation and disposition

Reference. https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/connection_and_security_intelligence_event_fields.html

Topics

#ICMP#access policy rules#intrusion detection#firewall policy

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-201 Practice
Refer to the exhibit. What is the connection status of the ICMP event? | 350-201 Q#39 Answer | NerdExam