A network administrator is deploying a new Cisco Secure Firewall Threat Defense (FTD) firewall. After Cisco Secure FTD is deployed, inside clients have intermittent connectivity to each other. When reviewing the packet capture on the Secure FTD firewall, the administrator sees that Secure FTD is responding to all the ARP requests on the inside network. Which action must the network administrator take to resolve the issue?
The intermittent connectivity issue is caused by the firewall responding to all ARP requests on the inside network. This is indicative of an incorrect proxy ARP configuration. Reviewing and disabling the incorrect proxy ARP settings in the NAT policy will stop the firewall from incorrectly responding to ARP requests, thereby resolving the connectivity issue. The other options do not address the root cause as effectively. Verifying that ARP is allowed from inside to inside or converting the FTD to transparent mode does not tackle the issue of the firewall responding to ARP requests. Hardcoding the MAC address would be an impractical solution for a network with many clients.
The answer is definitely B. I completely agree with Alex_morgan. I'd like to add something. First of all, the “incorrect proxy ARP configuraiton” is specifically the “Do not proxy ARP on Destination Interface” checkbox in the Advanced tab of the FMC's NAT policy. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config -76/interfaces-settings-nat.html#:~:text=Do%20not%20proxy%20ARP%20on%20Destination%20Interface As an example, this option is used when identity NAT is used to identify VPN traffic. In that case, if this checkbox is not turned on, the local LAN will attempt to respond to ARP even for requests that can be handled by the local LAN.
Disable proxy ARP in Advanced setting NAT rules.
My choice is "ACP for ARP inside to inside". I guess that NAT is not usually implemented between inside and inside.
Agree it should be A
Additional details By default, all ARP packets are allowed between bridge group members. You can control the flow of ARP packets by enabling ARP inspection. ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/platform_settings_for_firepower_threat_defense.html#:~:text=all%20ARP%20packets%20are%20allowed%20between%20bridge%20group%20members.
The issue could be related to NAT and proxy ARP to destination interface (outbound), but the issue is with inside client to client. Therefore since it's a new deployment, I'd change it to Transparent Mode. I choose C