Refer to the exhibit.
The security team created a new security policy that requires certain types of traffic to be subject to deep packet inspection. The traffic types are:
• internet traffic to application servers
• internet traffic to corporate users
• partner network traffic to application servers
• partner network traffic to corporate users
Where must the next-generation firewalls be inserted to implement the new policy?
To implement deep packet inspection on all the specified traffic types—traffic from the internet to application servers, internet traffic to corporate users, partner network traffic to application servers, and partner network traffic to corporate users—the next-generation firewalls should be positioned where all these traffic types converge. In this diagram, the core switch cluster interfaces with both the user network and the application servers through separate paths. Therefore, placing the firewalls inline between the user network switch cluster and the core cluster will ensure that all the traffic types are inspected, as the core switch processes all traffic to and from the specified sources and destinations. This ensures comprehensive deep packet inspection coverage.
but how do you filter traffic from partner users, using the B option?
Answer should be B, inserting the firewall between the edge router cluster and the core switch cluster, to inspect all the specified traffic types for DPI.
B seems to be the correct answer. However, I think having the firewall in the ACI boder leaf can work, if you want to route traffic from there but no the best option