Which statement about application inspection of SAF network services on an adaptive security appliance is true?
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.C.
The Adaptive Security Appliances do not have application inspection for the SAF network service.
When Unified CM uses a SAF-enabled H.323 trunk to place a call, the ASA cannot inspect the SAF packet to learn the ephemeral port number used in the H.225 signalling.
Therefore, in scenarios where call traffic from SAF- enabled H.323 trunks traverses the ASAs, ACLs must be configured on the ASAs to allow this signaling traffic.
The ACL configuration must account for all the ports used by the H.225 and H.245 signaling.
The question is asking about the application inspection of SAF (Service Advertisement Framework) network services on an adaptive security appliance, which is a type of network security device that provides firewall and VPN services.
SAF is a Cisco protocol that enables the exchange of information between different network services, such as call control and directory services. The adaptive security appliance can inspect SAF traffic to ensure that it meets the security policies defined on the device.
Answer A states that the adaptive security appliance can inspect and learn the ephemeral port numbers that are used by H.225 and H.245 on SAF-enabled H.323 trunks. H.225 is a protocol used for call setup and signaling in H.323 networks, while H.245 is used for control signaling. Ephemeral port numbers are randomly assigned port numbers used for temporary connections. This statement is true, as the adaptive security appliance can learn and inspect these port numbers to ensure that the traffic is valid and meets security policies.
Answer B states that an explicit ACL must be configured on the adaptive security appliance for SAF-enabled SIP (Session Initiation Protocol) trunks. SIP is another call control protocol used in Voice over IP (VoIP) networks. This statement is not related to the inspection of SAF network services, so it is incorrect.
Answer C states that an explicit ACL must be configured on the adaptive security appliance for SAF-enabled H.323 trunks to account for ephemeral port numbers that are used by H.225 and H.245. This statement is similar to answer A, but it specifies that an explicit ACL must be configured. However, this statement is not entirely accurate, as the adaptive security appliance can learn and inspect the ephemeral port numbers without the need for an explicit ACL.
Answer D states that an explicit ACL must be configured on the adaptive security appliance for SAF-enabled H.323 trunks to account for ephemeral port numbers that are used by H.225 and H.245. This statement is similar to answer C and is also not entirely accurate.
Answer E states that the adaptive security appliance can inspect and learn the ephemeral port numbers that are used by H.225 on SAF-enabled H.323 trunks, but H.245 ports must be explicitly defined. This statement is partly true, as the adaptive security appliance can inspect and learn the ephemeral port numbers used by H.225, but it does not need explicit definitions for H.245 ports.
Answer F states that the adaptive security appliance provides full application inspection for SAF network services. This statement is incorrect, as the adaptive security appliance does not provide full application inspection for SAF network services. Instead, it can inspect and learn the necessary information to ensure that the traffic meets security policies.
In summary, answer A is the correct statement, as the adaptive security appliance can inspect and learn the ephemeral port numbers that are used by H.225 and H.245 on SAF-enabled H.323 trunks. Answers B, C, D, and F are incorrect, and answer E is partly true but not entirely accurate.