Chapter 7. Deployment in Detection-Only Mode Flashcards
1.Which of the following interface modes does not block packets?
A. Transparent mode
B. Routed mode
C. Inline tap mode
D. All of these answers are correct.
C. In inline tap mode and in passive mode, if you apply an access control rule or intrusion rule with a block or drop action, a threat defense does not actually block the original traffic. It only generates an event and lets the original traffic go through the threat defense.
2.Which of the following actions ensures the analysis of maximum traffic when it goes through a threat defense?
A. Using a SPAN port on a switch.
B. Deploying a TAP to replicate traffic.
C. Deploying passive mode instead of inline mode.
D. Any threat defense model is capable of handling all the traffic and ensures 100 percent detection.
B. A network TAP is dedicated hardware that is designed to replicate and transfer traffic. A SPAN port, in contrast, drops packets if the utilization of a SPAN link exceeds its capacity.
3.Which of the following statements is true?
A. Passive mode can work with just one interface, whereas an inline set requires at least two interfaces.
B. An inline interface does not require that port mirroring features, such as a TAP or SPAN port, be available.
C. Transition between detection-only mode and prevention mode is faster and easier in inline tap mode.
D. All of these answers are correct.
D. All of these answers are correct. Passive mode can work with just one interface, whereas an inline set requires at least two interfaces. An inline interface does not require that port mirroring features, such as a TAP or SPAN port, be available. Transition between detection-only mode and prevention mode is faster and easier in inline tap mode.
4.What is the advantage of considering inline tap mode over passive mode?
A. A threat defense in inline tap mode can handle more traffic than any other modes.
B. Passive mode cannot block any intrusion attempt.
C. You can easily transition to the inline mode without touching any physical cables.
D. Both inline tap and passive modes are the same; there are no administrative differences.
C. You can easily transition to the inline mode without touching any physical cables.
5.An administrator wants to position a threat defense permanently in detection-only mode. What is the best option to consider?
A. Transparent mode
B. Inline tap mode
C. Passive mode
D. All of these answers are correct.
C. If the ultimate plan is to deploy a threat defense in detection-only mode permanently, choose passive mode over inline tap mode to eliminate any chance of traffic interruption due to an accidental outage of the threat defense. Furthermore, depending on the traffic, the inline tap mode configurations can impact the threat defense performance more than the passive mode configurations.
6.Which of the following commands shows whether an interface is set to inline tap mode?
A. show inline-tap
B. show inline-set
C. show interface ip brief
D. show interface inline-tap
B. Theshow inline-setcommand can confirm whether an interface is set to inline tap mode.
7.If a threat defense interface is configured with passive mode, which of the following commands can help you to determine the passive deployment mode?
A. show nameif
B. show interface<interface_name></interface_name>
C. show passive-interface
D. show monitor session
B. If an interface on a threat defense is configured in passive mode, theshow interface<interface_name>command shows IPS Interface-Mode: Passive in its output.</interface_name>
8.Which of the following settings enable a threat defense to run in detection-only mode?
A. Interface Mode:Inline Tap
Inspection Mode:Prevention
B. Interface Mode:Passive
Inspection Mode:Prevention
C. Interface Mode:Inline
Inspection Mode:Detection
D. All of the above
D. A threat defense operates in detection-only mode when the interface is set to inline tap or passive mode, regardless of the inspection mode selected in the intrusion policy. When configured in inline interface mode, a threat defense can also inspect traffic in a non-blocking mode (alert only) if you select detection inspection mode in the intrusion policy.
