An organization wants to secure traffic from their branch office to the headquarters building using Cisco Firepower devices.
They want to ensure that their Cisco Firepower devices are not wasting resources on inspecting the VPN traffic.
What must be done to meet these requirements?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-ravpn.htmlTo secure traffic between a branch office and headquarters building, a Virtual Private Network ( VPN) is often used. However, this encrypted traffic can consume resources on the Cisco Firepower devices that inspect network traffic for security purposes. To ensure that the Cisco Firepower devices are not wasting resources on inspecting VPN traffic, one of the following actions can be taken:
A. Configure the Cisco Firepower devices to bypass the access control policies for VPN traffic.
This approach involves creating an access control rule that bypasses the inspection of VPN traffic. This is achieved by configuring the rule to not apply the inspection policy to VPN traffic. This allows the VPN traffic to bypass the inspection policies, thus saving resources on the Cisco Firepower devices. However, this can pose a security risk if the VPN traffic is compromised and could lead to the devices being bypassed altogether.
B. Tune the intrusion policies in order to allow the VPN traffic through without inspection.
This approach involves modifying the intrusion policies on the Cisco Firepower devices to allow VPN traffic through without being inspected. The benefit of this approach is that the VPN traffic is not blocked, and resources are not wasted on inspecting it. However, this also presents a potential security risk if the VPN traffic is compromised and could lead to the devices being bypassed altogether.
C. Configure the Cisco Firepower devices to ignore the VPN traffic using prefilter policies.
This approach involves configuring the prefilter policies on the Cisco Firepower devices to ignore the VPN traffic, which saves resources on the devices. This approach is similar to option A, but with a more granular approach as prefilter policies are used to classify traffic before it undergoes access control policies. However, it may still pose a security risk if the VPN traffic is compromised.
D. Enable a flexconfig policy to re-classify VPN traffic so that it no longer appears as interesting traffic.
This approach involves using a flexconfig policy to re-classify VPN traffic so that it is no longer flagged as interesting traffic. This will allow the Cisco Firepower devices to ignore VPN traffic, which saves resources. This approach is similar to option C, but with more granular control, as flexconfig policies can be used to modify the behavior of the devices. However, this approach may require more configuration effort than other options.
In summary, to ensure that Cisco Firepower devices are not wasting resources on inspecting VPN traffic, one can use any of the above approaches. However, the organization should weigh the potential security risks associated with each approach and choose the one that best suits their needs.