An engineer must investigate a connectivity issue from an endpoint behind a Cisco FTD device and a public DNS server. The endpoint cannot perform name resolution queries. Which action must the engineer perform to troubleshoot the issue by simulating real DNS traffic on the Cisco FTD while verifying the Snort verdict?
To troubleshoot a connectivity issue related to DNS traffic and verify the Snort verdict, the engineer should use the Capture w/Trace wizard in Cisco FMC. This tool allows simulating real DNS traffic and tracing packet flow through the Firepower Threat Defense (FTD) device, providing detailed insights into the traffic path and Snort engine processing.
I would also say A. The requirements are "troubleshoot the issue by simulating real DNS traffic" .. this would indicate using optiong A which includes a Trace to simulate the traffic flow.
A - is 100% correct.
It says "simulating" so definitely not A
A To trace a real packet is very useful to troubleshoot connectivity issues. It allows you to see all the internal checks that a packet goes through. Add the trace detail keywords and specify the number of packets that you want to be traced. By default, the FTD traces the first 50 ingress packets. In this case, enable capture with trace detail for the first 100 packets that FTD receives on the INSIDE interface: > capture CAPI2 interface INSIDE trace detail trace-count 100 match icmp host 192.168.103.1 host 192.168.101.1
A: See reference https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html
TCPdump doesn't simulate packets.
I think the answer is B, because the question specifically ask, "on the Cisco FTD while verifying the Snort verdict". https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html#:~:text=Allows%20to%20run%20system%20support%20firewall%2Dengine%2Ddebug%20at%20the%20same%20time%20to%20see%20what%20happens%20within%20the%20Snort%20engine%20itself