Lesson 8

Question 1

The Cisco _____________ is borrowed from IOS to make it easier to implement flexible policies on the security appliances. One or more policies can be applied to traffic flowing through the appliance.

Answer 1

Modular Policy Framework ( MPF)

Question 2

• Control what traffic is added to the connection table to allow returning traffic back to the source, as well as examine the payloads of inspected applications for connection, translation, and security issues

Answer 2

Inspection of connections

Question 3

• Limit the number of completed and half - open connections on a per - group, per - user, or per - host basis

Answer 3

Connection restriction s

Question 4

• Implement low - latency queuing to prioritize high - priority traffic, like voice, over normal data traffic .

Answer 4

Traffic prioritization

Question 5

• You can rate-limit traffic in both the inbound and outbound directions to control excessive bandwidth needs of applications

Answer 5

Traffic policing

Question 6

• With the AIP-SSM (Advanced Inspection and Prevention Security Services Module) card installed in an ASA, you can define policies to copy packets to or to redirect packets into the AIP - SSM card to look for and prevent attacks.

Answer 6

Intrusion prevention system (IPS)

Question 7

• With the CSC-SSM card (Content Security and Control ) installed in an ASA, you can define policies to have traffic redirected through the card to look for viruses, malware, spyware, phishing, and other types of issues with Web , FTP, and email applications.

Answer 7

Anti - X

Question 8

The MPF Process
START
Identify traffic to be subject to the policy. Includes IP addresses and transport protocol port numbers
Create the policy, which specifies the action that permits, denies, or otherwise manipulates the traffic and/or the way it’s handled
Activate the policy by activating it on an interface

Answer 8

class-map
policy-map
service-policy

Question 9

Template used to identify a traffic flow by using the match command. A traffic flow is a set of traffic that is identifiable by its packet content. The class - map identifies the traffic that you want to associate one or more policies to

Answer 9

class-map

Question 10

Used to associate one or more actions with a class of traffic. Consists of a list of policies which reference a class map.

Answer 10

policy-map

Question 11

Used to enable a set of policies on an interface or all interfaces.

Answer 11

service-policy

Question 12

Supported class maps:

Answer 12

Layer 3/4
Inspection (Layer 7)
Regular expressions (“ftp://” )
Management

Question 13

When using class maps, you are required to use _________ to identify the devices and or services, like a particular FTP server.

Answer 13

a Layer 3/4 class map

Question 14

Includes all default application inspection traffic, which is about a 1 ½ dozen protocols such as ftp, rpc , ils , and so on

Answer 14

default-inspection-traffic

Question 15

Matches on the specified ____ values in the IP header used for QoS.

Answer 15

DSCP

Question 16

Matches on the specified TOS values in the IP header used for QoS and in DSCP .

Answer 16

precedence

Question 17

Matches on a particular site - to - site connection or on a WebVPN or IPSec remote access group.

Answer 17

tunnel - group

Question 18

Further qualifies the matching process when the configured policy is policing: eg, rate - limiting remote access users on a per - destination basis.

Answer 18

flow

Question 19

The ASA Firewall listens to the entire FTP transfer conversation on the FTP - control port.

Answer 19

Active - mode FTP

it automatically allows the corresponding inbound connection.

Question 20

____. When it’s time to open a data session, instead of sending the PORT command to the server, the client sends a ___ command to the server.

If the FTP server supports Passive mode, it opens a random port of its own and responds with a ____ command to the client , which includes the number of the TCP port it just opened .

Answer 20

Passive-Mode FTP

PASV

PORT

Question 21

When more than one policy is associated with the class map, the policies are enforced in the following order :

Answer 21

Connection limits, connection timeouts, and TCP sequence number randomization
–
CSC card (Content Security and Control)
–
Stateful and application inspection
–
IPS card
–
Input policing
–
Output policing
–
Priority queuing

Question 22

Configuring a Traffic Class

Answer 22

fw1( config )# class - map CLASS_ALL
fw1( config - cmap )# match port tcp eq http
fw1(config - cmap )# match access-list INBOUND-MPF
fw1( config - cmap )# exit

Question 23

Associating a Traffic Class with an Action

Answer 23

fw1( config )# policy-map INT_POL 
fw1( config-pmap )#
fw1( config-pmap )# class COMM 
fw1( config-pmap-c)# set connection conn - max 800

Question 24

Applies the policy map to the outside interface

Answer 24

fw1( config )# service-policy INT_POL interface outside

Question 25

The security appliance configuration contains a preconfigured ________ that enables inspection of certain applications on all interfaces

Answer 25

policy map ( global_policy )

Question 26

default Inspection policy names:

class-map
policy-map

Answer 26

inspection_default

global_policy