Which statement about application inspection of SAF network services on an adaptive security appliance is true?
Click on the arrows to vote for the correct answer
A. B. C. D. E.C.
The Adaptive Security Appliances do not have application inspection for the SAF network service.
When Unified CM uses a SAF-enabled H.323 trunk to place a call, the ASA cannot inspect the SAF packet to learn the ephemeral port number used in the H.225 signaling.
Therefore, in scenarios where call traffic from SAF- enabled H.323 trunks traverses the ASAs, ACLs must be configured on the ASAs to allow this signaling traffic.
The ACL configuration must account for all the ports used by the H.225 and H.245 signaling.
References: Cisco Collaboration 9.x Solution Reference Network Designs (SRND) page 4-34
SAF (Service Advertisement Framework) is a Cisco networking protocol used for advertising and discovering network services. Application inspection of SAF network services on an adaptive security appliance involves monitoring and controlling the traffic that flows through the appliance to ensure network security and performance.
Option A states that the adaptive security appliance can inspect and learn the ephemeral port numbers used by H.225 and H.245 on SAF-enabled H.323 trunks. This statement is true. The adaptive security appliance can inspect the H.225 and H.245 protocols used by SAF-enabled H.323 trunks and learn the ephemeral port numbers used by these protocols.
Option B states that an explicit ACL must be configured on the adaptive security appliance for SAF-enabled SIP trunks. This statement is false. An explicit ACL (Access Control List) is not required for SAF-enabled SIP (Session Initiation Protocol) trunks. However, an ACL can be configured to provide additional security for SIP traffic.
Option C states that an explicit ACL must be configured on the adaptive security appliance for SAF-enabled H.323 trunks to account for ephemeral port numbers used by H.225 and H.245. This statement is partially true. An explicit ACL can be configured on the adaptive security appliance for SAF-enabled H.323 trunks to account for ephemeral port numbers used by H.225 and H.245.
Option D states that the adaptive security appliance can inspect and learn the ephemeral port numbers used by H.225 on SAF-enabled H.323 trunks, but H.245 ports must be explicitly defined. This statement is partially true. The adaptive security appliance can inspect and learn the ephemeral port numbers used by H.225 on SAF-enabled H.323 trunks, but the H.245 ports can also be learned automatically by the appliance.
Option E states that the adaptive security appliance provides full application inspection for SAF network services. This statement is false. While the adaptive security appliance provides application inspection for SAF network services, it does not provide full application inspection.
In summary, Option A is the only true statement. The adaptive security appliance can inspect and learn the ephemeral port numbers used by H.225 and H.245 on SAF-enabled H.323 trunks. Option B is false, and Options C, D, and E are partially true.