300-710 SNCF Exam - Question 29

IDS is passive but IPS is not, with IPS the inline traffic can be dropped. I go with tap

We're screwed with this question. The correct answer depends on whether the question is based on the FMC configuration Guide, or the FMC GUI user interface. If this question comes from the FMC configuration Guide, the answer could very well be D - IPS-only mode. According to the first sentence of the "INTERFACE MODES AND TYPES" section of The FMC configuration manual: "You can deploy FTD interfaces in two modes: Regular firewall mode and IPS-only mode." TAP mode would be an Advanced setting on an interface in IPS-only mode. If this question is based on the FMC GUI, then there are three modes available. Two mode choices on Firewall mode interfaces. Default is mode:none, but mode can be set to passive mode, or ERSPAN mode. There is one mode on an inline pair interface, "Tap mode" found in the advanced options. And to muddy the waters even more, ERSPAN could also be the correct answer because ERSPAN traffic is passive copies of traffic that doesnt go through the device, but the original traffic still has to go out somewhere, and that somewhere is probably through that ftd's firewall mode interfaces. I'm undecided between IPS-only mode, and TAP mode.

I wish there was a way to upload pics to these boards. I'm looking at the FMC right now and the only interface modes are passive, ERSPAN or none. I'm going with ERSPAN. Some of you might be going off of old guides based on older versions of the software. I'm using FMC7.2.

Tap fits better

100% TAP mode.

Correct C With tap mode, the FTD is deployed inline, but the network traffic flow is undisturbed. Instead, the FTD makes a copy of each packet so that it can analyze the packets. Note that rules of these types do generate intrusion events when they are triggered, and the table view of intrusion events indicates that the triggering packets would have dropped in an inline deployment. There are benefits to using tap mode with FTDs that are deployed inline

Correct answer: C

From the start, only two answers are possible. B and D. There are only two interface modes on FTD, "You can deploy FTD interfaces in two modes: Regular firewall mode and IPS-only mode. You can include both firewall and IPS-only interfaces on the same device. IPS-only interfaces can be deployed as the following types: Inline Set, with optional Tap mode". So you could have IPS-only as inline with tap that would make it into IDS and therefore passive. Firewall interface mode can be deployed as Routed or Bridge Groups with BVI. Do your own reading here: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/interface_overview_for_firepower_threat_defense.html

The correct answer is C, tap. The tap mode is used for passive monitoring of traffic without affecting the traffic flow. The traffic is simply copied to the tap interface for analysis, while the original traffic continues to its destination.

I would go with ERSPAN, this is a Passive interface with encapsulating mode. TAP is a copy of the traffic.

Agreed It should be TAP mode

A - ERSPAN. If we're talking interface type, ERSPAN is the only option here. tap is a setting on on inline set (which isn't an interface type).

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/fpmc-config-guide-v622_chapter_01111001.html

Because the question is asking about traffic that goes through the firewall itself. AND that the firewall receives the data flow passively. BUT does NOT specify anything about the data being inspected. I would go with IPS-Mode. If the question asked about passively inspecting the traffic going through the appliance... I would have picked TAP.

of the "Interface modes" the only valid answers is "TAP" or "ERSPAN" Tap is passive and traffic is not going through the FTD, but with ERSPAN it does. Further there is no "IPS-only" mode on interface. if any discussion about "xxx-only" mode is shout be "IDS-only" mode and that would be a passive interface mode

TAP interface is not copy any traffic to other interface. Just received it. (Passive) IPS-only the correct. —An inline set acts like a bump on the wire, and binds two interfaces together to slot into an existing network. This function allows the system to be installed in any network environment without the configuration of adjacent network devices. Inline interfaces receive all traffic unconditionally, but all traffic received on these interfaces is retransmitted out of an inline set unless explicitly dropped.

D is correct, IPS-Only is an interface mode. Tap mode is a type of interface mode can be deployed: IPS-only interfaces can be deployed as the following types

I don't understand why Cisco exam is doing this tricky question. Although I don't like this kind of question, I think I am going to choose IPS-Only mode. like trickbot explained very well below. I am more focusing higher interface mode (firewall vs IPS-mode) although TAP and ERSPAN are also possible answers.

Agree it should be D as the TAP woulnd't let the traffic pass

It's gotta be D, IPS-only. Of the interface modes, there's Routed, Passive and ERSPAN. Tap is a mode that's used with inline tap or inline set. IPS-only is NOT an interface mode, however it can be configured to allow traffic to flow through an interface passively, as counterintuitive as that might seem.

For Cisco FTD software, the correct interface mode to passively receive traffic is IPS-only mode (option D). This mode allows the appliance to monitor and analyze traffic without actively participating in the traffic flow. Tap mode (option C) is another passive monitoring option, but it is typically used in inline deployments where the device is physically inserted into the network path. In contrast, IPS-only mode is specifically designed for passive monitoring without affecting the traffic flow.